Security of information is critical to all corporations and is one of the many areas of competency established with Enterprise Risk Management. The weakness of traditional risk management is the focus on historical precedence rather than forward looking investigative approach. For example, the number of cases reported historically leads corporate IT to the usual suspects such as external hackers. This leads to heavy investments in systems infrastructure and many times overly burdensome security restrictions that interfere with daily business activities. Unlike traditional risk management, Enterprise Risk Management avoids this silo mentality by using a root cause approach to take a comprehensive view of risk. The root cause method looks at risks, such as information security, from all angles including processes and relationships as well as people, systems and external sources. Enterprise Risk Management recognizes that the chain is only as strong as the weakest link. Over investment in one area without the others is understood as not a good use of resources.

Leading corporations are quickly adopting Enterprise Risk Management for this reason. However, some corporations are slow to adopt Enterprise Risk Management best practices and extend their programs to line management. According to a recent survey, although 70 percent of corporations say they intend to adopt Enterprise Risk Management in the next few years, many organizations have not met their Enterprise Risk Management goals. The following true story highlights the peril of not putting urgency behind rolling out an Enterprise Risk Management program to operational areas across the enterprise.

ChoicePoint is the largest data broker that assembles personal information records on all of us. ChoicePoint, like so many corporations, make assurances on data security. They probably truly believes that they are aware of all risks facing them as they claim and also believe that their organizations are effectively addressing those risks as needed. Certainty of conviction should not be mistaken for investigative knowledge, especially if that investigation may rely on a flawed process. According to a recent New York Times article, “Keeping Your Enemies Close” for years, ChoicePoint’s top management had assured the world that it carefully protected its databases from intruders: “Our systems are bulletproof. Intruder-proof. Believe us.”

However in February 2005, according to the New York Times, ChoicePoint had to acknowledge that it had focused so intently on preventing hackers from gaining access to its computers through digital back doors that it had simply overlooked real-world con artists entering unnoticed through the front door. This year, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency’s history, for security and record-handling procedures that violated the rights of consumers. The ChoicePoint operations process for approving business partners was vulnerable. Fraudsters were officially becoming business partners by exploiting ChoicePoint’s business process and practices. That kind of vulnerability can best be uncovered by using risk assessments conducted by the operations team which is typical of an Enterprise Risk Management approach. The more rigorous the Enterprise Risk Management framework used to conduct this assessment the more effective and valuable the results will be. Process-driven software with embedded frameworks can help create a repeatable and sustainable process.

Lessons learned from this story:
1) Roll-out your Enterprise Risk Management charter to your line managers
2) Use root cause as part of self-assessments to understand the source of risk
3) Use best practice risk indicators that are forward looking in nature to uncover risks
4) Develop clear measures of the penetration of your Enterprise Risk Management program
5) Measure the progress of your Enterprise Risk Management program roll-out and don’t allow the timetable to slip.

Review lesson number one or your successor may be doing that for you.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification | Permalink | Comments (2) | TrackBacks (0)

Amaranth Advisors lost roughly $5 billion in a week, and this is from a hedge fund that boasted of world-class risk-management systems. The result is a loss of 50% of the company’s asset base best summarized by this USAToday headline Faced with billions lost, Amaranth Advisors will shut down.

Amaranth Advisors was described as increasingly brash in their investments due to their confidence in their quantitative approach to risk management. According to this article in Business News, “The risk models employed by hedge funds use historic data, but the natural-gas markets have been more volatile this year than any year since 2001, making models less useful. They also might not predict how much selling of one’s stakes to get out of a position can cause prices to fall.” The Amaranth Advisors risk culture also had its roots in convertible-bond trading, a less-volatile market.

Enterprise Risk Management (ERM) best practices add a forward looking and scenario based approach for a more balanced and comprehensive view of risk. ERM is a process comprised of a series of iterative and sequential steps to enable continuous improvement in decision-making and performance with regards to the reduction of uncertainty within an organization. ERM helps a management team examine the markets in which it operates and formalize the acceptable risk tolerance for each segment. This process-driven approach helps a company set more appropriate controls to bring the business in alignment with the established risk appetite. This approach addresses the root cause of potential future problems rather than monitor transactions for historic symptoms.

The Amaranth Advisors outcome is a classic case that demonstrates the pitfall of an overly quantitative approach to risk management. Companies that have an over reliance on the traditional quantitative approach to risk management, namely the use of automated triggers based on data analysis to control risk, is much like the Emperor in the fabled children’s story who believed too heavily in just one approach for the source of his information.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification | Permalink | Comments (0) | TrackBacks (0)

Whenever there is a disaster or event that causes losses, it is usually proven that someone or several employees in middle management or on the front lines had been forecasting the event years before but no action had been taken. The recent story of British Petroleum’s oil pipeline leak in Alaska is no different. The headline from the CNN news story, BP was warned, this week reads “Interviews with employees and a 2002 letter predicting 'catastrophe' show that BP’s problems should have come as no surprise to management”

According to the article, “One current BP employee who worked at both Prudhoe Bay and in Texas and spoke to Fortune on condition of anonymity says no one should be surprised by what eventually occurred. "The mantra was, Can we cut costs 10 percent?” he recalls.

How can such bad decision making be made by such smart people? The answer is found in the over reliance on quantitative analysis. There is a philosophy among some risk managers that all answers can be found in the deep quantitative analysis of the numbers in databases to detect patterns. This is true for high frequency risks. However, for low frequency and high impact risks (like the BP oil leak) quantitative analysis will often lead to incorrect decision making or more analysis with no decision making at all. First, there is insufficient data historically to analyze and many possible outcomes can easily and incorrectly be “fit to the data”. Second, with too little data, the patterns of correlation, dependency and therefore big picture ramifications can not be easily understood.

The solution is Enterprise Risk Management (ERM). ERM is an iterative and sequential series of steps that utilizes risk self-assessment (the process of identifying and evaluating risk with regard to their potential impact and likelihood, as well as related controls) as well as the subsequent risk management process of control evaluation, action plan definition, monitoring of risk- and implementation development. Enterprise Risk Management starts with a holistic and qualitative approach to first identify all the possible root causes of an issue and then systematically help quantify the total risk consequence taking all the possibilities into consideration with scenario analysis and if needed quantitative analysis.

Quantitative analysis is expensive and very focused in applicability. Enterprise Risk Management is all about best practices of performing a self-assessment and scenario analysis before deciding where, when and how to invest in an deeper quantitative analysis like loss database approaches. With ERM, management can prioritize the full costs versus the benefits to make a better decision. You can download a whitepaper on Risk Event Classification. Click here to download.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification • Risk Mitigation | Permalink | Comments (1) | TrackBacks (0)

Based on the opinion poll within my last blog, interest was highest for the question: How to surface common knowledge security issues that management doesn't know about?

You are in good company. At the SIA risk conference I had the opportunity to meet with Richard G. Ketchum, Chief Executive Officer of the New York Stock Exchange Regulation. One of the major themes he spoke about was the need for Technology Assessments to review governance, risk and compliance issues. He commented that adoption of new technology combined with changes due to mergers and acquisitions have left corporate systems frail and patched 3-4 levels below the senior management level where they are "common knowledge" by operational staff members. He mentioned that these high risk field issues however are frequently not known or understood by leadership and audit committees. He further spoke of the need for best practices to be implemented to identify reporting and control gaps.

When asked about methods to approach this problem, Mr. Ketchum commented “Precision in an imprecise area is dangerous” and suggested to look at the qualitative risk assessment approach of Enterprise Risk Management tools. He further commented that high risk subjects include processes with deficiencies, that have been triaged, areas not well connected, and legacy systems. Issues to focus on include operations and control practices.

COBIT 4.0 is just such a set of operational and control best practices that can help in this endeavor. According to ISACA, the publisher, COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Craig Symons at Forrester research, comments that "COBIT 4.0 Is A Strong Governance Platform"

You can download a complementary copy of the new COBIT 4.0 best practices document on my website. I also recommend reading my article on Risk Maturity Models to best understand how to use the COBIT 4.0 framework, "The Elephant at the Enterprise Risk Management Party"

My next blog will address the number two voted issue in the opinion poll of my last blog "How to draw the line between acceptable and unacceptable risks?"

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Identification • Risk Maturity Model | Permalink | Comments (1) | TrackBacks (0)

In my last Blog I referenced the article History of Intelligence Failures illustrating the most spectacular military intelligence failures over the course of history. I also presented my adapted list of the 6 most important root cause reasons resulting in business risk failures, Looking for Risks in all the wrong places?

Jacob commented on my Blog "You mean to say all above mentioned business challenges can be handled by Enterprise Risk Management Software?" My Blog below will provide a definitive yes. Below is an outline on how Enterprise Risk Management together with the right software can effect the impact and/or likelihood of these failures showing up on your watch.

First of all, let's define Enterprise Risk Management. According the Australian Risk Standard it is the culture, processes and structures that are directed towards realizing potential opportunities while managing adverse effects".

Now let's look at those 6 risk coverage vulnerabilities:
Overestimation - a determination to overemphasize information, leading to a false conclusion.

Enterprise Risk Management establishes a standard and easy to understand methodology to systematically identify, qualify and quantify risk. The hard part is getting started. Software facilitates the identification and assessment process and offers three criteria, Impact, Likelihood and Effectiveness of Controls for you to score risk in order to prioritize and balance all the aspects of risk and performance to get a more objective estimation. Establishing objective criteria is the first defense against overemphasizing or becoming blinded by your own or convictions or those of others.

Underestimation - business analysts or leadership completely misreads a competitor's intentions, market event or regulators guidance or intentions.

Key risk indicators help prompt thinking about how risk can effect your organization in different ways and a variety of different angles. Further, strategic key risk indicators are designed to help uncover disruptive threats that are difficult to address with traditional risk approaches. A quality ERM software package should come with a robust library of key risk indicators organized by industry, function and core process.

Over-confidence - bad assumptions based on our own certainty on how we would handle the situation.

These embedded best practice risk indicator libraries together with the software framework help us to do gap analysis on how our organization is looking a issues versus the lessons learned by peers in our industries. A framework should incorporate best practices from leading industry organizations such as Standard & Poor's, Australian Risk Management Standard, COBIT for IT Governance and Security, COSO for Financial Controls and other frameworks.

Complacency - something is going to happen, though not sure what or when, and yet no action is taken.

You do not have to take action on every risk, but you do need to quantify and measure your current risk and compare it with your thresholds of acceptable risk to decide to monitor, take action or if the risk is adequate. Using software to standardize the process and capture risk issues helps formalize the process and escalate issues for follow-up. Software helps manage the workflow of assigning roles and responsibilities as well as follow-up notifications and tracking.

Ignorance - When there is virtually no intelligence, we are at the mercy of events.

Much like TurboTax for personal taxation, we don't have to be experts on everything. The software can prompt us for the relevant information and walk us through the process to successful compliance and even tax savings. The Enterprise Risk Management software embeds best practice risk methodology which is all about embedding risk management in the existing culture of an organization. That means everything from planning and analysis process, capital allocations, performance evaluation, strategic planning, internal audit, IT business continuity and security assessments, etc.

Failure to join the dots - failure to make connections between bits of intelligence to make a coherent whole.

Ad hoc Risk Management done with home grown tools lends itself to having information buried in spreadsheets and word documents all throughout the corporation. Many times there is a dependency between a risk in one business area with a risk in another business area or a compound risk of two separate but identical risks in separate areas occurring at the same time that can be worse than either risk individually. Aggregating this information up to interactive dashboards and flexible reporting that can filter and present risk segmented by risk or by risk dependencies is invaluable in seeing the big picture.

Now that we have walked through the concepts, you may be interested to read a real life company's story in InformationWeek's article last month, Software makes risk management easier to swallow.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Identification | Permalink | Comments (1) | TrackBacks (0)

IBM announced today their newest Risk Management service offering, Contingency Planning Assessment in their press release, IBM TO HELP COMPANIES DETERMINE PANDEMIC PREPAREDNESS. I had the opportunity to speak with Rich Cocchiara, IBM Distinguished Engineer & CTO for Business Resilience at IBM prior to their announcement. Rich made the point that business continuity and disaster recovery and crisis management is constantly evolving and that new threats need new strategies. Rich outlined a few of the differences to consider in planning for a Bird Flu Pandemic versus a traditional business continuity and disaster recovery issue.

1) People vs. Infrastructure Resources - Bird Flu scenarios can affect up to 40% of employees where traditional business continuity has been all about the physical property infrastructure of buildings, transportation, data and communications.
2) Global vs. Local Geographies - a Pandemic is forecast to affect multiple cities, regions and entire countries simultaneously where traditional business continuity planning has been focused on reactions to single localized events.
3) Long term vs. Temporary Impacts - Avian Flu may have several waves lasting several years and may change the way business is conducted on the long term, where traditional business continuity has been thought of as a few days to a few weeks in duration.

Rich posed the question on corporate preparedness "Does your organization know how operations will be impacted due to a health Pandemic? What business areas will need to be shut down or functions, locations or processes abandoned?” Rich also pointed out that all organizations are impacted, including small and medium sized businesses, not just the largest enterprises and government agencies.

Rich also commented on the importance of risk management software tools to support an Enterprise Risk Management program for identifying and assessing scenarios, evaluating options as well as planning and tracking results. Further, having Corporate Objectives and a Performance Management view in mind can also help address current business operations issues to help make your business better today. For example, enabling business processes for greater effectiveness in telecommuting or shifting operational capabilities for work between offices and regions can help business reduce costs and increase productivity today even if a bird flu pandemic does not materialize.

This announcement by IBM validates the critical need to put an enterprise framework in place with both a methodology and process to constantly reevaluate thinking and planning on how risk can impact your business and what actions need to be taken.

What is keeping you up at night and what are you doing about it?

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)