Security of information is critical to all corporations and is one of the many areas of competency established with Enterprise Risk Management. The weakness of traditional risk management is the focus on historical precedence rather than forward looking investigative approach. For example, the number of cases reported historically leads corporate IT to the usual suspects such as external hackers. This leads to heavy investments in systems infrastructure and many times overly burdensome security restrictions that interfere with daily business activities. Unlike traditional risk management, Enterprise Risk Management avoids this silo mentality by using a root cause approach to take a comprehensive view of risk. The root cause method looks at risks, such as information security, from all angles including processes and relationships as well as people, systems and external sources. Enterprise Risk Management recognizes that the chain is only as strong as the weakest link. Over investment in one area without the others is understood as not a good use of resources.

Leading corporations are quickly adopting Enterprise Risk Management for this reason. However, some corporations are slow to adopt Enterprise Risk Management best practices and extend their programs to line management. According to a recent survey, although 70 percent of corporations say they intend to adopt Enterprise Risk Management in the next few years, many organizations have not met their Enterprise Risk Management goals. The following true story highlights the peril of not putting urgency behind rolling out an Enterprise Risk Management program to operational areas across the enterprise.

ChoicePoint is the largest data broker that assembles personal information records on all of us. ChoicePoint, like so many corporations, make assurances on data security. They probably truly believes that they are aware of all risks facing them as they claim and also believe that their organizations are effectively addressing those risks as needed. Certainty of conviction should not be mistaken for investigative knowledge, especially if that investigation may rely on a flawed process. According to a recent New York Times article, “Keeping Your Enemies Close” for years, ChoicePoint’s top management had assured the world that it carefully protected its databases from intruders: “Our systems are bulletproof. Intruder-proof. Believe us.”

However in February 2005, according to the New York Times, ChoicePoint had to acknowledge that it had focused so intently on preventing hackers from gaining access to its computers through digital back doors that it had simply overlooked real-world con artists entering unnoticed through the front door. This year, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency’s history, for security and record-handling procedures that violated the rights of consumers. The ChoicePoint operations process for approving business partners was vulnerable. Fraudsters were officially becoming business partners by exploiting ChoicePoint’s business process and practices. That kind of vulnerability can best be uncovered by using risk assessments conducted by the operations team which is typical of an Enterprise Risk Management approach. The more rigorous the Enterprise Risk Management framework used to conduct this assessment the more effective and valuable the results will be. Process-driven software with embedded frameworks can help create a repeatable and sustainable process.

Lessons learned from this story:
1) Roll-out your Enterprise Risk Management charter to your line managers
2) Use root cause as part of self-assessments to understand the source of risk
3) Use best practice risk indicators that are forward looking in nature to uncover risks
4) Develop clear measures of the penetration of your Enterprise Risk Management program
5) Measure the progress of your Enterprise Risk Management program roll-out and don’t allow the timetable to slip.

Review lesson number one or your successor may be doing that for you.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification | Permalink | Comments (2) | TrackBacks (0)

Amaranth Advisors lost roughly $5 billion in a week, and this is from a hedge fund that boasted of world-class risk-management systems. The result is a loss of 50% of the company’s asset base best summarized by this USAToday headline Faced with billions lost, Amaranth Advisors will shut down.

Amaranth Advisors was described as increasingly brash in their investments due to their confidence in their quantitative approach to risk management. According to this article in Business News, “The risk models employed by hedge funds use historic data, but the natural-gas markets have been more volatile this year than any year since 2001, making models less useful. They also might not predict how much selling of one’s stakes to get out of a position can cause prices to fall.” The Amaranth Advisors risk culture also had its roots in convertible-bond trading, a less-volatile market.

Enterprise Risk Management (ERM) best practices add a forward looking and scenario based approach for a more balanced and comprehensive view of risk. ERM is a process comprised of a series of iterative and sequential steps to enable continuous improvement in decision-making and performance with regards to the reduction of uncertainty within an organization. ERM helps a management team examine the markets in which it operates and formalize the acceptable risk tolerance for each segment. This process-driven approach helps a company set more appropriate controls to bring the business in alignment with the established risk appetite. This approach addresses the root cause of potential future problems rather than monitor transactions for historic symptoms.

The Amaranth Advisors outcome is a classic case that demonstrates the pitfall of an overly quantitative approach to risk management. Companies that have an over reliance on the traditional quantitative approach to risk management, namely the use of automated triggers based on data analysis to control risk, is much like the Emperor in the fabled children’s story who believed too heavily in just one approach for the source of his information.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification | Permalink | Comments (0) | TrackBacks (0)

Whenever there is a disaster or event that causes losses, it is usually proven that someone or several employees in middle management or on the front lines had been forecasting the event years before but no action had been taken. The recent story of British Petroleum’s oil pipeline leak in Alaska is no different. The headline from the CNN news story, BP was warned, this week reads “Interviews with employees and a 2002 letter predicting 'catastrophe' show that BP’s problems should have come as no surprise to management”

According to the article, “One current BP employee who worked at both Prudhoe Bay and in Texas and spoke to Fortune on condition of anonymity says no one should be surprised by what eventually occurred. "The mantra was, Can we cut costs 10 percent?” he recalls.

How can such bad decision making be made by such smart people? The answer is found in the over reliance on quantitative analysis. There is a philosophy among some risk managers that all answers can be found in the deep quantitative analysis of the numbers in databases to detect patterns. This is true for high frequency risks. However, for low frequency and high impact risks (like the BP oil leak) quantitative analysis will often lead to incorrect decision making or more analysis with no decision making at all. First, there is insufficient data historically to analyze and many possible outcomes can easily and incorrectly be “fit to the data”. Second, with too little data, the patterns of correlation, dependency and therefore big picture ramifications can not be easily understood.

The solution is Enterprise Risk Management (ERM). ERM is an iterative and sequential series of steps that utilizes risk self-assessment (the process of identifying and evaluating risk with regard to their potential impact and likelihood, as well as related controls) as well as the subsequent risk management process of control evaluation, action plan definition, monitoring of risk- and implementation development. Enterprise Risk Management starts with a holistic and qualitative approach to first identify all the possible root causes of an issue and then systematically help quantify the total risk consequence taking all the possibilities into consideration with scenario analysis and if needed quantitative analysis.

Quantitative analysis is expensive and very focused in applicability. Enterprise Risk Management is all about best practices of performing a self-assessment and scenario analysis before deciding where, when and how to invest in an deeper quantitative analysis like loss database approaches. With ERM, management can prioritize the full costs versus the benefits to make a better decision. You can download a whitepaper on Risk Event Classification. Click here to download.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification • Risk Mitigation | Permalink | Comments (1) | TrackBacks (0)

Based on the opinion poll within my last blog, interest was highest for the question: How to surface common knowledge security issues that management doesn't know about?

You are in good company. At the SIA risk conference I had the opportunity to meet with Richard G. Ketchum, Chief Executive Officer of the New York Stock Exchange Regulation. One of the major themes he spoke about was the need for Technology Assessments to review governance, risk and compliance issues. He commented that adoption of new technology combined with changes due to mergers and acquisitions have left corporate systems frail and patched 3-4 levels below the senior management level where they are "common knowledge" by operational staff members. He mentioned that these high risk field issues however are frequently not known or understood by leadership and audit committees. He further spoke of the need for best practices to be implemented to identify reporting and control gaps.

When asked about methods to approach this problem, Mr. Ketchum commented “Precision in an imprecise area is dangerous” and suggested to look at the qualitative risk assessment approach of Enterprise Risk Management tools. He further commented that high risk subjects include processes with deficiencies, that have been triaged, areas not well connected, and legacy systems. Issues to focus on include operations and control practices.

COBIT 4.0 is just such a set of operational and control best practices that can help in this endeavor. According to ISACA, the publisher, COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Craig Symons at Forrester research, comments that "COBIT 4.0 Is A Strong Governance Platform"

You can download a complementary copy of the new COBIT 4.0 best practices document on my website. I also recommend reading my article on Risk Maturity Models to best understand how to use the COBIT 4.0 framework, "The Elephant at the Enterprise Risk Management Party"

My next blog will address the number two voted issue in the opinion poll of my last blog "How to draw the line between acceptable and unacceptable risks?"

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Identification • Risk Maturity Model | Permalink | Comments (1) | TrackBacks (0)

At the SIA’s 2nd Annual Risk Management Conference for financial services firms held on June 27th in New York City, overall, the maturity of enterprise risk management in the past year has definitely moved up one notch. Uncertainty about how to define enterprise risk management and the debate about the value of risk management have been replaced with more practical concerns on how to best implement a risk management program and how to measure the performance.

For those of you who could not attend, the following are the hot topics to think about: 1) setting of risk tolerance or thresholds, 2) convergence of assessment work within risk, compliance, IT, and finance and audit functions, 3) centralization or decentralization of the risk management function, 4) bird flu impact on business continuity, 5) The need for technology audits, and 6) accelerated adoption of Enterprise Risk Management as a business necessity by credit rating agencies.

According to Julian Fry, Global Head of Operational Risk at Merrill Lynch & Co., Inc., who was a panelist at the conference, the top 10 risk management business issues within Financial Services and Investment Management companies are:
1) Proper business practices, 2) Internal fraud, 3) Knowing your client, 4) Transaction execution, 5) Client selection exposure, 6) Business disruption, 7) Product complexity/pricing, 8) Employment practices, 9) Accounting evaluation (sox), and 10) Back office operations.

You can find downloads for a few of the presentations from the conference at:
risk conference presentations for download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Risk Identification | Permalink | Comments (0) | TrackBacks (0)

Fear or Opportunity? How will you respond?

Risk management: a fresh view of current events

Bird Flu: A Y2K technology fix déjà vu sink hole, or an opportunity to enable a more flexible virtual workforce?

Terrorism: A security nightmare, or an opportunity to improve controls that should be in place anyway?

Global warming: A disaster waiting to happen or a wakeup call for conserving energy and reducing costs?

Your next job promotion: Do you feel stuck in a game of musical chairs where events control you or are you proactively leveraging risk management to meet your performance objectives and advance your career?

Posted by stevenminsky in Risk Identification | Permalink | Comments (0) | TrackBacks (0)

In my last Blog I referenced the article History of Intelligence Failures illustrating the most spectacular military intelligence failures over the course of history. I also presented my adapted list of the 6 most important root cause reasons resulting in business risk failures, Looking for Risks in all the wrong places?

Jacob commented on my Blog "You mean to say all above mentioned business challenges can be handled by Enterprise Risk Management Software?" My Blog below will provide a definitive yes. Below is an outline on how Enterprise Risk Management together with the right software can effect the impact and/or likelihood of these failures showing up on your watch.

First of all, let's define Enterprise Risk Management. According the Australian Risk Standard it is the culture, processes and structures that are directed towards realizing potential opportunities while managing adverse effects".

Now let's look at those 6 risk coverage vulnerabilities:
Overestimation - a determination to overemphasize information, leading to a false conclusion.

Enterprise Risk Management establishes a standard and easy to understand methodology to systematically identify, qualify and quantify risk. The hard part is getting started. Software facilitates the identification and assessment process and offers three criteria, Impact, Likelihood and Effectiveness of Controls for you to score risk in order to prioritize and balance all the aspects of risk and performance to get a more objective estimation. Establishing objective criteria is the first defense against overemphasizing or becoming blinded by your own or convictions or those of others.

Underestimation - business analysts or leadership completely misreads a competitor's intentions, market event or regulators guidance or intentions.

Key risk indicators help prompt thinking about how risk can effect your organization in different ways and a variety of different angles. Further, strategic key risk indicators are designed to help uncover disruptive threats that are difficult to address with traditional risk approaches. A quality ERM software package should come with a robust library of key risk indicators organized by industry, function and core process.

Over-confidence - bad assumptions based on our own certainty on how we would handle the situation.

These embedded best practice risk indicator libraries together with the software framework help us to do gap analysis on how our organization is looking a issues versus the lessons learned by peers in our industries. A framework should incorporate best practices from leading industry organizations such as Standard & Poor's, Australian Risk Management Standard, COBIT for IT Governance and Security, COSO for Financial Controls and other frameworks.

Complacency - something is going to happen, though not sure what or when, and yet no action is taken.

You do not have to take action on every risk, but you do need to quantify and measure your current risk and compare it with your thresholds of acceptable risk to decide to monitor, take action or if the risk is adequate. Using software to standardize the process and capture risk issues helps formalize the process and escalate issues for follow-up. Software helps manage the workflow of assigning roles and responsibilities as well as follow-up notifications and tracking.

Ignorance - When there is virtually no intelligence, we are at the mercy of events.

Much like TurboTax for personal taxation, we don't have to be experts on everything. The software can prompt us for the relevant information and walk us through the process to successful compliance and even tax savings. The Enterprise Risk Management software embeds best practice risk methodology which is all about embedding risk management in the existing culture of an organization. That means everything from planning and analysis process, capital allocations, performance evaluation, strategic planning, internal audit, IT business continuity and security assessments, etc.

Failure to join the dots - failure to make connections between bits of intelligence to make a coherent whole.

Ad hoc Risk Management done with home grown tools lends itself to having information buried in spreadsheets and word documents all throughout the corporation. Many times there is a dependency between a risk in one business area with a risk in another business area or a compound risk of two separate but identical risks in separate areas occurring at the same time that can be worse than either risk individually. Aggregating this information up to interactive dashboards and flexible reporting that can filter and present risk segmented by risk or by risk dependencies is invaluable in seeing the big picture.

Now that we have walked through the concepts, you may be interested to read a real life company's story in InformationWeek's article last month, Software makes risk management easier to swallow.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Identification | Permalink | Comments (1) | TrackBacks (0)

Risk Management is all about unidentified risks that can pose a major threat to your organization or result in significant opportunities being missed. Frequently just after a failure, loss, blunder or catastrophe we discover in hindsight that the facts have been staring us all along in the face, but they have been either ignored or overlooked. Why is that?

A great article, Long history of intelligence failures responds to this question based on the military intelligence blunders from the wooden horse in Troy to the Yom Kipur war, Pearl Harbor, 9/11 and the Iraq War. I have adapted the article's categorization of these risk failures in a way that I think we can all easily apply to our own business challenges:

1) Overestimation - a determination to overemphasize information, leading to a false conclusion.
2) Underestimation - business analysts or leadership completely misreads a competitor's intentions or market event.
3) Over-confidence - bad assumptions based on our own certainty on how we would handle the situation.
4) Complacency - something is going to happen, though not sure what or when, and yet no action is taken.
5) Ignorance - When there is virtually no intelligence, we are at the mercy of events.
6) Failure to join the dots - failure to make connections between bits of intelligence to make a coherent whole.

Enterprise Risk Management is a proven framework to systematically address these six categories of weakness. My next Blog entry outlines the parallels in the enterprise business world and articulates how Enterprise Risk Management can be effectively used to protect us from these risk process pitfalls.

Posted by stevenminsky in Enterprise Risk Management • Risk Assessment • Risk Identification | Permalink | Comments (2) | TrackBacks (0)

CNN recently published a new report Identity theft: The new way to rob a bank. The CNN article is about how a bank employee recently committed identity theft by selling customer information which resulted in $12 million in losses to their employer. The folks inside are just as likely to be the perpetrator as the folks outside.

This article highlights the need for organizations to identify the root cause of risks so that appropriate action can be taken. The field of Enterprise Risk Management is doing just that. Does your Enterprise Risk Management program and tools help you to identify, assess and track issues from a root cause perspective? ie. Not only tracking the losses attributed to Identify Theft for example, but what is the specific root cause that is allowing this Identify Theft to occur? For example, is it outside hackers or your employees? IT systems? relationships with vendors?

When we hear Identify Theft, we jump to the conclusion, often incorrectly, that bank information is stolen by outside hackers and when we hear Bank Robbery we think of the infamous "cell phone bandit" that robbed a series of Wachovia bank branches recently.

The FBI reports that there are about 7,600 bank robberies a year, amounting to roughly $77 million in losses to the institutions. However, this compares with a 2003 Federal Trade Commission report estimated identity theft losses to financial institutions to be at $47 billion.

There is more on root cause and Enterprise Risk Management in my ebizQ column, The Price of Fraud where I wrote about how Enterprise Risk Management Tools are helping in the battle against fraud.

Posted by stevenminsky in Identify Theft • Risk Identification | Permalink | Comments (0) | TrackBacks (0)