Tag Archives: marks

New Perspectives on Cyber Security

The world continues to buzz about cyber security (or, perhaps we should say, insecurity). Now we have the Chinese government apparently admitting that it has a cyberwarfare capability: not just one unit, but three. Other nations, including the U.S., Japan and some European nations, are talking about their ineffective defenses and the need to develop an offensive capability.

What can the targets, not only any public or private company, but each of us as an individual target (yes, our personal devices are constantly under attack), do about this?

The first step is to get our collective heads out of the sand and understand that we are all, collectively and individually, at risk. The level of successful attacks is enormous (a billion records with personal information were hacked in 2014, according to IBM, as reported here). According to a survey discussed in Fortune, 71% of companies admit they were hacked last year, and the majority expect to be hacked this year. However, nearly a quarter, according to Fortune, have not only kept their heads in the sand but do so with unbelievable confidence; they think a successful cyber attack is “not likely” in the next 12 months. The trouble is that very often successful attacks are not detected! It took a long time before JPMorgan Chase found out it had been hacked, and even longer before it knew the extent of the damage.

Organizations need to be ready to respond effectively and fast!

The JPMorgan Chase article reports that, “The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.”

All is for naught if successful intrusions are not detected and responses are not initiated on a timely basis. In the Target case, reports say that the security monitoring service detected suspicious activity, but the company did not respond. According to ComputerWeekly.com, many companies make the mistake of “over-focusing on prevention and not paying enough attention to detection and response. Organizations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones.”

Another insightful article discusses the critical need for pre-planned response capabilities. IT cannot do it all itself; business executives need to not only be involved but actively work to ensure their operations can survive a successful intrusion.

What else should we do?

We have to stop using passwords like “password,” the name of a pet or our birthday. Password managers are excellent tools (see this article on the top-rated products) and merit serious consideration. I have one. (BTW, I don’t plan to replace it with the latest idea from Yahoo of one-time text messages. However, I do like the fingerprint authentication on my iPhone.)

A risk-based approach to cyber security is the right path, in my view. But that does mean that organizations have to continuously monitor new and emerging risks, or new observations about existing risks. An example is a new article on insecure mobile apps — both from in-house developers and from external sources.

Organizations need to allocate resources to cyber and information security commensurate with the risks, and individuals have to take the time to update the software on their personal devices. Internal audit departments should make sure they have the talent to make a difference, providing objective evaluations and practical suggestions for improvement.

Companies and individuals, both, need to make sure they apply all the security patches released by software vendors. They address the vulnerabilities most often targeted, and, when there is a breach, very often it’s because the patches have not been applied.

As individuals, we should have a credit-monitoring service (I do), set up alerts for suspicious activity on bank accounts and use all the anti-virus and spam protection that is reasonable to apply.

Finally, as individuals and as organizations, we need to make sure we and our people are alert to hackers’ attempts through malware, social engineering and so on. It is distressing that so many successful intrusions start with somebody clicking where they should not be clicking.

Pointers on Managing GRC Issues

MetricStream has shared with us a November 2014 report from the analyst firm Forrester: Predictions 2015: The Governance, Risk and Compliance Market Is Ready For Disruption. (Registration required.)

I have had serious issues in the past with Forrester, its portrayal of governance, risk management and compliance (GRC), its assessment of vendors’ solutions and its advice to organizations considering purchasing software to address their business problems.

However, Forrester does talk to a lot of organizations, both those that buy software as well as those that sell it. So, it is worth our time to read their reports and consider what they have to say. I’m going to work my way through the report, with excerpts and comments as appropriate.

“…the governance, risk, and compliance (GRC) technology market is ripe for disruption.”

I have a problem with the whole notion of a GRC market. For a start, the “G” is silent! The analysts seem to forget that there are processes, each of which can be enabled by technology, to support governance of the organization by the board and others. For example, there is a need to enable the secure, efficient and useful sharing of information with the board – for scheduled meetings and throughout the year. In addition, there are needs to support whistleblower processes, legal case management, investigations, the setting and cascading of business objectives and goals, the monitoring of performance and so many more.

In addition, organizations should not be looking for a GRC solution. They should instead be looking for solutions to meet their more critical business needs. Many organizations are purchasing a bundle of GRC capabilities but only use some of what they have bought – and what they do use may not be the best in the market to address that need.

Finally, I have written before about the need to manage risk to strategies and objectives. Yet, most of these so-called GRC solutions don’t support strategy setting and management. There is no integration of risk and strategy. Executives cannot see, as they review progress against their strategies and objectives, both performance progress and the level of related risks.

“A corporate risk event will lead to losses topping $20 billion.”

What is a “risk event”? This is strange language. Why can’t Forrester just talk about an “event” or, better still, a “situation”?

I agree that management of organizations continue to make mistakes – as they have ever since Adam and Eve ate the apple. Some mistakes result in compliance failures, penalties, reputation damage and huge losses. I also agree that the size of those losses continues to rise.

But what about mistakes in assessing the market and customers’ changing needs, bringing new products and services to market or price-setting (consider how TurboTax alienated and lost customers)? I have seen several companies fall from leaders in their market to being sold for spare parts (Solectron and then Maxtor).

Management should consider all potential effects of uncertainty on the achievement of objectives.

“Embed risk best practices across the business…. Risk management helps enhance strategic decision-making at all organizational levels, and, when company success or failure is on the line, formal risk processes are essential.”

The focus on decision-making across the enterprise is absolutely correct. Risk management should not be a separate activity from running the business. Every decision-maker needs to consider risk as she makes a decision, so she can take the right amount of the right risk.

“Read and understand your country’s corporate sentencing guidelines.”

This is another excellent point! Unfortunately, the authors didn’t follow through and point out that the U.S. Federal Sentencing Guidelines require that organizations take a risk-based approach to ensuring compliance; those that do will have reduced penalties should there be a compliance failure.

“Build and maintain a culture of compliance.”

Stating the obvious. It is easy to say, not so easy to accomplish.

“Review risks in your current register and add ‘customer impact’ to the relevant ones.”

All the potential consequences of a risk should be included when analyzing it. Rather than “customer,” I would include the issues that derive from upsetting the customer, such as lost sales and market share.

Further, it’s not a matter of reviewing risks in your risk register. It’s about including all potential consequences every time you make a decision, as well as when you conduct a periodic review of risks. Risk management should be an integral part of how decisions are made and the organization is run – not just when the risk register is reviewed.

Forrester makes some comments and predictions concerning GRC vendors. I don’t know whether they are right or wrong. However, I say again that organizations should not focus on which is the best GRC platform. They should instead look for the best solution to their business needs, whatever it is called.

I do agree with Forrester that there are some excellent tools that can be used for risk monitoring. They should be integrated with the risk management solution, with ways to alert appropriate management when risk levels change.

What do you think of the report, the excerpts and my comments?

Should we continue to talk about GRC platforms? Is it time to evaluate risk management solutions? How about integrated strategy, performance and risk solutions?

[By way of complete disclosure, I have a relationship with a number of vendors of “GRC” solutions, including MetricStream and Resolver. I no longer have a relationship with SAP.]

A Better Way to Think About Reputation Risk

A new survey by Deloitte reinforces the obvious truth that a smart CEO and her board will nurture the organization’s reputation because it is critical to success (in almost every case). The survey states one other truth that should be obvious to us all: “Reputation risk is driven by other business risks.” As Miriam Kraus, a senior vice president at SAP responsible for its risk management program, is quoted as saying in the report: “Usually, reputation risks result from other risks. For example, noncompliance with applicable laws and regulations, misconduct of senior management, failure to adequately meet our customer’s expectations and contractual requirements. All of these could lead to civil liabilities and fines, as well as loss of customers and damage to the reputation and brand value of SAP, to just mention a few.”

But, while the paper has many interesting numbers and charts, I think it leaves much left unsaid.

I wish that Deloitte had advised that when decision-makers assess risks they should consider the potential impact on the organization’s reputation (which can be good, bad or neutral) and add this to the assessment of other (more direct) potential effects.

It should be noted that the likelihood of a significant impact on reputation arising from, say, a safety issue is not necessarily the same as the impact from fines, lost time and so on. In addition, the impact on reputation may be positive while the impact on, say, cash flow is negative! For example, the decision to divorce the organization from a supplier who is found to have broken the law may raise costs and disrupt delivery of product to the market – while enhancing the reputation of the organization.

I also wish that Deloitte had made it clear that organizations need to understand what is most likely to have a significant impact on their reputation. While Deloitte mentioned a few important areas, it omitted situations like failures (or excellence) in customer service, the help desk, public statements (including on social media), responses to media and regulators’ inquiries, announcements about plant closures and so on.

I believe it is important to identify the more significant drivers of reputation value, both the potentially positive and negative, so that they can be monitored and treated when appropriate, to optimize reputation.

Monitoring is key, and Deloitte has a sidebar that talks to some of the ways to do this. Deloitte calls the process risk-sensing.

One aspect that I didn’t see mentioned is that an organization’s reputation can be affected by the actions of third parties – without any stimulus from the organization. For example, from time to time, statements are made by the CEO of Oracle that are intended to attack the reputation of SAP, its primary competitor. The organization that is attacked needs to know what is happening and assess whether a response would help or hurt.

In the same way, when there is violence in some part of the world, people look to the U.S., EU, and others for a reaction. It’s not only the action that can affect reputation but the failure to act.

When the media find that there have been an unusual number of apparent failures in a model of automobile, the failure of the manufacturer to react can be as damaging as or more damaging than a poorly worded press statement.

Actions by third parties that are part of the extended enterprise (suppliers, channel parties, agents and even customers) can affect reputation. They need to be identified, assessed and monitored closely, as well.

Reputation risk is critical. While Deloitte doesn’t make this clear, because so many decisions and actions can impair or improve the organization’s reputation, it is essential that the impact on reputation be considered in pretty much every decision, from strategy-setting to the daily operation of the business.

Every manager and decision-maker — not just the chief risk officer — needs to own the risk.

One final point: One of the reasons I like the ISO 31000:2009 global risk management standard is that it doesn’t limit the risk management discussion to preventing bad things from happening. Every organization needs to pay attention to the ways in which it can build and grow its reputation, not just protect it.

Do you agree?

I welcome your comments and perspectives.

This article was first published on:  Norman Marks on Governance, Risk Management, and Audit.

Giving the Gift of Books on Risk Management

As we near the gift-giving season, here are some books on risk management you might consider as gifts for yourself, your team or a friend with a passion for risk management.

First, here are two from one of the gurus of risk management.

Felix Kloman styles himself “a long-time student of the discipline of risk management” despite being a risk management practitioner, author and thought leader for the best part of half a century. If you are interested in the views of this sage and especially the development of risk management over time, you might want to look at these (both are available in paperback and for the Kindle):

John Fraser has co-written two massive tomes, each a collection of contributions by highly regarded risk management practitioners and academics (including Felix). They are full of useful information with chapters such as “Enterprise Risk Management: An Introduction and Overview”; “ERM and Its Role in Strategic Planning”; and “How to Plan and Run a Risk Management Workshop.” The books are:

Finally, Paul Sobel has made a contribution that merits consideration, especially by internal auditors. Paul brings an excellent mind to the topic, even though he may not have the many years’ experience that Felix (in particular) and John possess.

Have you read any of these books? I would like to know what you think of them.

I am also interested in whether there are other books on risk management you would recommend. (Nassim Nicholas Taleb is a controversial author and holds views that I don’t fully endorse, so I am not recommending him here.)