Security of information is critical to all corporations and is one of the many areas of competency established with Enterprise Risk Management. The weakness of traditional risk management is the focus on historical precedence rather than forward looking investigative approach. For example, the number of cases reported historically leads corporate IT to the usual suspects such as external hackers. This leads to heavy investments in systems infrastructure and many times overly burdensome security restrictions that interfere with daily business activities. Unlike traditional risk management, Enterprise Risk Management avoids this silo mentality by using a root cause approach to take a comprehensive view of risk. The root cause method looks at risks, such as information security, from all angles including processes and relationships as well as people, systems and external sources. Enterprise Risk Management recognizes that the chain is only as strong as the weakest link. Over investment in one area without the others is understood as not a good use of resources.

Leading corporations are quickly adopting Enterprise Risk Management for this reason. However, some corporations are slow to adopt Enterprise Risk Management best practices and extend their programs to line management. According to a recent survey, although 70 percent of corporations say they intend to adopt Enterprise Risk Management in the next few years, many organizations have not met their Enterprise Risk Management goals. The following true story highlights the peril of not putting urgency behind rolling out an Enterprise Risk Management program to operational areas across the enterprise.

ChoicePoint is the largest data broker that assembles personal information records on all of us. ChoicePoint, like so many corporations, make assurances on data security. They probably truly believes that they are aware of all risks facing them as they claim and also believe that their organizations are effectively addressing those risks as needed. Certainty of conviction should not be mistaken for investigative knowledge, especially if that investigation may rely on a flawed process. According to a recent New York Times article, “Keeping Your Enemies Close” for years, ChoicePoint’s top management had assured the world that it carefully protected its databases from intruders: “Our systems are bulletproof. Intruder-proof. Believe us.”

However in February 2005, according to the New York Times, ChoicePoint had to acknowledge that it had focused so intently on preventing hackers from gaining access to its computers through digital back doors that it had simply overlooked real-world con artists entering unnoticed through the front door. This year, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency’s history, for security and record-handling procedures that violated the rights of consumers. The ChoicePoint operations process for approving business partners was vulnerable. Fraudsters were officially becoming business partners by exploiting ChoicePoint’s business process and practices. That kind of vulnerability can best be uncovered by using risk assessments conducted by the operations team which is typical of an Enterprise Risk Management approach. The more rigorous the Enterprise Risk Management framework used to conduct this assessment the more effective and valuable the results will be. Process-driven software with embedded frameworks can help create a repeatable and sustainable process.

Lessons learned from this story:
1) Roll-out your Enterprise Risk Management charter to your line managers
2) Use root cause as part of self-assessments to understand the source of risk
3) Use best practice risk indicators that are forward looking in nature to uncover risks
4) Develop clear measures of the penetration of your Enterprise Risk Management program
5) Measure the progress of your Enterprise Risk Management program roll-out and don’t allow the timetable to slip.

Review lesson number one or your successor may be doing that for you.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification | Permalink | Comments (2) | TrackBacks (0)

Amaranth Advisors lost roughly $5 billion in a week, and this is from a hedge fund that boasted of world-class risk-management systems. The result is a loss of 50% of the company’s asset base best summarized by this USAToday headline Faced with billions lost, Amaranth Advisors will shut down.

Amaranth Advisors was described as increasingly brash in their investments due to their confidence in their quantitative approach to risk management. According to this article in Business News, “The risk models employed by hedge funds use historic data, but the natural-gas markets have been more volatile this year than any year since 2001, making models less useful. They also might not predict how much selling of one’s stakes to get out of a position can cause prices to fall.” The Amaranth Advisors risk culture also had its roots in convertible-bond trading, a less-volatile market.

Enterprise Risk Management (ERM) best practices add a forward looking and scenario based approach for a more balanced and comprehensive view of risk. ERM is a process comprised of a series of iterative and sequential steps to enable continuous improvement in decision-making and performance with regards to the reduction of uncertainty within an organization. ERM helps a management team examine the markets in which it operates and formalize the acceptable risk tolerance for each segment. This process-driven approach helps a company set more appropriate controls to bring the business in alignment with the established risk appetite. This approach addresses the root cause of potential future problems rather than monitor transactions for historic symptoms.

The Amaranth Advisors outcome is a classic case that demonstrates the pitfall of an overly quantitative approach to risk management. Companies that have an over reliance on the traditional quantitative approach to risk management, namely the use of automated triggers based on data analysis to control risk, is much like the Emperor in the fabled children’s story who believed too heavily in just one approach for the source of his information.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification | Permalink | Comments (0) | TrackBacks (0)

The book “Blink” by Malcolm Gladwell is a must read for risk managers. Chapter one opens with the description of the approach used by the J. Paul Getty Museum to perform due diligence on a famous statue’s authenticity prior to acquisition for their collection. This is a classic low frequency and high impact event with a price tag of $10 million for the statue. They hired a team of consultants and lawyers that did deep analysis. For example, a geologist determined the marble used for the statue was consistent with the statue’s origin and a legal team did a paper trail that validated the chain of ownership. After 14 months of investigation, the Getty Museum staff with the help of professional consultants concluded the statue was authentic, and the Getty Museum made their purchase.

However, when the statue was shown to art experts their conclusions were immediate that it was a fraud. These art historians sensed that although the statue had all the obvious telltale signs that it was genuine, their instinct told them it was a fake.

As a result, the investigations were revisited and the holes began to appear in what was previously determined a rock solid conclusion. Eventually, the statue was revealed to be a forgery dating back to Rome in the early 1980’s. How could 14 months of rigorous due diligence by highly trained and paid professional consultants be wrong? So wrong in fact, that art historians who relied on their instincts could come to the correct determination in a matter of moments?

The author, Gladwell, argues in his book, a powerful process in all of us is working subconsciously to sort through huge amounts of information gathered over a lifetime, make associations between data, and extract key indicators to arrive at rapid highly accurate conclusions.

This is also the process of Enterprise Risk Management (ERM). A few ERM best practices are illustrated in this story:

• Let your line management lead the risk management process for their areas.
• Capture this expert opinion with a framework of risk indicators and a root cause discipline to ensure the quality of capturing the expert opinion.
• Document their self-assessments of their operating processes to identify “What could go wrong?” based on their powerful expertise gathered from intimate knowledge of the subject matter.
• Evaluate the expert opinion to determine if action needs to be taken.
• Formalize the mitigation process to follow-up on these instincts to craft a plan of action that takes into account historical data and traditional analysis.
• Monitor the plan of action to make sure it actually achieves the goal rather than just appearance.

Posted by stevenminsky in Enterprise Risk Management • Risk Assessment | Permalink | Comments (2) | TrackBacks (0)

Whenever there is a disaster or event that causes losses, it is usually proven that someone or several employees in middle management or on the front lines had been forecasting the event years before but no action had been taken. The recent story of British Petroleum’s oil pipeline leak in Alaska is no different. The headline from the CNN news story, BP was warned, this week reads “Interviews with employees and a 2002 letter predicting 'catastrophe' show that BP’s problems should have come as no surprise to management”

According to the article, “One current BP employee who worked at both Prudhoe Bay and in Texas and spoke to Fortune on condition of anonymity says no one should be surprised by what eventually occurred. "The mantra was, Can we cut costs 10 percent?” he recalls.

How can such bad decision making be made by such smart people? The answer is found in the over reliance on quantitative analysis. There is a philosophy among some risk managers that all answers can be found in the deep quantitative analysis of the numbers in databases to detect patterns. This is true for high frequency risks. However, for low frequency and high impact risks (like the BP oil leak) quantitative analysis will often lead to incorrect decision making or more analysis with no decision making at all. First, there is insufficient data historically to analyze and many possible outcomes can easily and incorrectly be “fit to the data”. Second, with too little data, the patterns of correlation, dependency and therefore big picture ramifications can not be easily understood.

The solution is Enterprise Risk Management (ERM). ERM is an iterative and sequential series of steps that utilizes risk self-assessment (the process of identifying and evaluating risk with regard to their potential impact and likelihood, as well as related controls) as well as the subsequent risk management process of control evaluation, action plan definition, monitoring of risk- and implementation development. Enterprise Risk Management starts with a holistic and qualitative approach to first identify all the possible root causes of an issue and then systematically help quantify the total risk consequence taking all the possibilities into consideration with scenario analysis and if needed quantitative analysis.

Quantitative analysis is expensive and very focused in applicability. Enterprise Risk Management is all about best practices of performing a self-assessment and scenario analysis before deciding where, when and how to invest in an deeper quantitative analysis like loss database approaches. With ERM, management can prioritize the full costs versus the benefits to make a better decision. You can download a whitepaper on Risk Event Classification. Click here to download.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification • Risk Mitigation | Permalink | Comments (1) | TrackBacks (0)

Below are four poll questions recently asked to Chief Risk Officers at organizations across North America. Take the survey yourself below and then compare your results by downloading their poll results along with a write-up explanation. Click here to download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Risk Assessment • Risk Maturity Model • Risk Mitigation | Permalink | Comments (0) | TrackBacks (0)

In my blog last week I defined the terms in the poll below and explained how risk management can prevent these failures from occurring. Vote your opinion and then view the results of what others think:

Thanks to Toren for his comments on my blog last week "Intelligence Failures, Part II: Risk Management is the Answer" Toren writes:

"How would Risk management software deal with perceptions and preconceptions that drive leaders and make them look the other way once intelligence points against their gut feeling? Is there a software that integrates human experience and takes preconceptions, even feelings and mere hunches that may drive a decision, into account?"

Business has political interests and politics has business interests, but the discipline of risk management applies to all just the same. Toren's comment highlights the need for acquiring human intelligence front line experts and balancing it with other data sources to achieve better decision making. This is the heart of what risk management software is designed to address.

First, the underlying prerequisite for a successful risk management program is the "tone from the top" from leadership to embrace a rigorous, objective and qualified risk management process. Transparency in the risk assessment and mitigation process is necessary to build the confidence and credibility for this buy-in. Software achieves this with embedded best practices and real-time interactive dashboards and reports for efficiency and governance of the process. Senior leadership commitment to actively engage in the risk management process will result in their conviction in the results.

With this mandate in place, the next issue then is how to widen the net and process the information in an objective and consistent fashion to prevent unsubstantiated preconceptions from blocking out the facts. True Enterprise Risk Management software supports a risk control self-assessment approach with a library of guided questions to qualify, quantify and prioritize human intelligence for follow-up. This process breaks the information down into its root cause categories and factors and quantifies the potential impact of the risk, the likelihood that the risk will occur and the current effectiveness of controls in place should the risk actually occur. A risk index score is calculated with the formula of (impact x likelihood x control). The highest risk score index can now systematically cull a broader base of information systematically to the most dangerous or high risk issues or scenarios.

Follow-up activities are assigned with due dates for deeper analysis that culminates in a recommendation for action along with the supporting documentation of cost benefit analysis, controls, budgets, etc. This web based system aggregates data from all areas of the organization. Control activities enforce discipline in the implementation and monitoring phases of then preventing risks or minimizing the impact of risks should they occur. It is this combination of methodology, process and software that prevents a premature conclusion or disregard for the facts.

Thanks again to Toren, keep your inquires coming and don't forget to vote your opinion above!

Posted by stevenminsky in Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)

IBM announced today their newest Risk Management service offering, Contingency Planning Assessment in their press release, IBM TO HELP COMPANIES DETERMINE PANDEMIC PREPAREDNESS. I had the opportunity to speak with Rich Cocchiara, IBM Distinguished Engineer & CTO for Business Resilience at IBM prior to their announcement. Rich made the point that business continuity and disaster recovery and crisis management is constantly evolving and that new threats need new strategies. Rich outlined a few of the differences to consider in planning for a Bird Flu Pandemic versus a traditional business continuity and disaster recovery issue.

1) People vs. Infrastructure Resources - Bird Flu scenarios can affect up to 40% of employees where traditional business continuity has been all about the physical property infrastructure of buildings, transportation, data and communications.
2) Global vs. Local Geographies - a Pandemic is forecast to affect multiple cities, regions and entire countries simultaneously where traditional business continuity planning has been focused on reactions to single localized events.
3) Long term vs. Temporary Impacts - Avian Flu may have several waves lasting several years and may change the way business is conducted on the long term, where traditional business continuity has been thought of as a few days to a few weeks in duration.

Rich posed the question on corporate preparedness "Does your organization know how operations will be impacted due to a health Pandemic? What business areas will need to be shut down or functions, locations or processes abandoned?” Rich also pointed out that all organizations are impacted, including small and medium sized businesses, not just the largest enterprises and government agencies.

Rich also commented on the importance of risk management software tools to support an Enterprise Risk Management program for identifying and assessing scenarios, evaluating options as well as planning and tracking results. Further, having Corporate Objectives and a Performance Management view in mind can also help address current business operations issues to help make your business better today. For example, enabling business processes for greater effectiveness in telecommuting or shifting operational capabilities for work between offices and regions can help business reduce costs and increase productivity today even if a bird flu pandemic does not materialize.

This announcement by IBM validates the critical need to put an enterprise framework in place with both a methodology and process to constantly reevaluate thinking and planning on how risk can impact your business and what actions need to be taken.

What is keeping you up at night and what are you doing about it?

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)

Risk Management is all about unidentified risks that can pose a major threat to your organization or result in significant opportunities being missed. Frequently just after a failure, loss, blunder or catastrophe we discover in hindsight that the facts have been staring us all along in the face, but they have been either ignored or overlooked. Why is that?

A great article, Long history of intelligence failures responds to this question based on the military intelligence blunders from the wooden horse in Troy to the Yom Kipur war, Pearl Harbor, 9/11 and the Iraq War. I have adapted the article's categorization of these risk failures in a way that I think we can all easily apply to our own business challenges:

1) Overestimation - a determination to overemphasize information, leading to a false conclusion.
2) Underestimation - business analysts or leadership completely misreads a competitor's intentions or market event.
3) Over-confidence - bad assumptions based on our own certainty on how we would handle the situation.
4) Complacency - something is going to happen, though not sure what or when, and yet no action is taken.
5) Ignorance - When there is virtually no intelligence, we are at the mercy of events.
6) Failure to join the dots - failure to make connections between bits of intelligence to make a coherent whole.

Enterprise Risk Management is a proven framework to systematically address these six categories of weakness. My next Blog entry outlines the parallels in the enterprise business world and articulates how Enterprise Risk Management can be effectively used to protect us from these risk process pitfalls.

Posted by stevenminsky in Enterprise Risk Management • Risk Assessment • Risk Identification | Permalink | Comments (2) | TrackBacks (0)