A management risk committee

February 17, 2019 4 comments

A couple of weeks ago, Jim DeLoach shared his views on effective [management] risk committees. I pretty much agree with what he had to say in NACD’s BoardTalk.

This, plus a question from a follower of this blog on the same topic, had me searching for the charter of the risk committee I established, with the strong support of the CEO, at Business Objects. Unfortunately, I couldn’t find it. But I can share some of the principles under which it operated.

The four members were all direct reports to the CEO and I served as staff and advisor. They included the executive vice presidents responsible for Product Development and Marketing (chair), plus the CFO and general counsel

The committee was responsible for oversight of management’s processes and policies around the management of risk. This included being evangelists for the consideration of ‘what might happen’ in all major decisions of the business.

We spent most of our time working to reach a consensus on the major risks and opportunities that might affect the company’s objectives. The members each represented a very different segment of our business operations and it took their collective insights to see the big picture.

But, the full executive committee would then consider the assessments made by the risk committee, led actively by the CEO. In fact, in some respects the executive committee was the risk committee.

In any event, the committee did not last very long for the simple reason that the company was acquired by SAP.

 

How does your risk committee function?

Why does it exist?

What value does it deliver?

How does it integrate with discussions on strategy and performance?

Advertisements

New Book: Making Business Sense of Technology Risk

February 12, 2019 2 comments

I am pleased to announce that my new book is available on Amazon.You can find details on the Norman’s Books tab.

Making business sense of technology risk - cover

While I started my career as a financial auditor, I soon migrated to the IT world. I was an IT auditor, manager, and senior manager in public accounting and industry before crossing over to lead as a vice president a major portion of a large IT function (including information security and related activities).

As the head of internal audit for large public companies and later as chief risk officer,  I worked with the executive management team and the board, providing assurance, advice, and insight on a number of areas, but technology was always a hot topic.

So while I was (at one time) a techie, my perspective for the last many years has been that of an executive and board advisor. In fact, at one company the chair of the IT committee asked me to attend its meetings to provide him and the rest of the members with my insights in addition to those of the CIO.

The question was always “what did we have to do, what decisions did we have to make, to enable the company to succeed?”

We should all be concerned about the failure of boards to understand technology-related risks and how they rate compared to other sources of business risk.

Much of the problem can easily be attributed to the failure of the technical management team to communicate those sources of risk in a way that makes sense to business management and the board.

Boards and top executives need actionable information that helps them understand how technology-related sources of risk might affect the objectives they are trying to achieve.

Simply providing leaders with a list of top risks or a heat map with prioritized information assets is not the actionable information leaders need.

This book provides my thoughts on how to bridge the divide between technical management and business leadership. After reviewing the major available frameworks (from NIST and ISO, with reference to FAIR as well), I share some key principles and advice on incorporating the consideration of technology-related sources of risk in decision-making and how to communicate in a way that provides the actionable information needed by leaders.

I hope you enjoy it!

Focusing board attention on management

February 9, 2019 6 comments

My good friend, Jim DeLoach had two pieces published in January.

Both are full of good ideas and suggestions for boards, well worth reading.

They are:

·        Briefing The Board On Technology Matters

I differ from Jim and other advisors to boards on one paramount point.

Rather than trying to make sure themselves that everything is right, the board should focus its limited time on gaining comfort that it has the right management team in place, a team capable of getting things right.

The board only meets to discuss a limited number of topics a limited number of times each year. They cannot hope to run the company in a few board meetings, assessing new technologies or financial reporting.

Instead, they need to ask the questions that will help them assess whether they have reasonable assurance that management is making intelligent and informed decisions on matters like these – every day.

So, I think it’s better for the board to ask questions such as:

  • Are you, CEO, comfortable with the ability of the management team to identify, assess, select, and implement the new technologies that will advance the company? If so, why?
  • Are you, CEO, assured that intelligent and informed decisions are being made as a part of setting and executing on strategies, decisions that incorporate a solid understanding and appreciation of the full range of things that might happen and affect the achievement of objectives? If so, what gives you that assurance?
  • Are you, the management team satisfied that the internal audit team is providing you (and us) with the assurance, advice, and insight we need to be successful? If so, why?

What does this mean for practitioners?

  • Provide the board with information on the adequacy of management’s processes and capabilities, not just on specific topics.
  • Be ready to provide your professional opinions not only on the processes but also on the people involved in running the organization. If people are not up to the job, it is wrong to sit and watch failures from the sidelines.

I welcome your thoughts and perspectives.

The positive side of risk

January 30, 2019 15 comments

Both good and bad things happen. Only managing the potential for failure, in my opinion, is a recipe for failure.

It is essential to consider all the things that might happen, both good and bad, if you are to achieve your objectives.

 

So how should we talk about the good stuff if we reserve the word ‘risk’ for the bad?

 

COSO and governance codes like King IV (South Africa) talk about ‘risk and opportunity’, where risk refers to the harmful effect of what might happen and opportunity is the positive side.

I have heard people talk about opportunity being the “other side of the coin” from risk.

 

ISO 31000:2018 refers to risk as ‘the effect of uncertainty on objectives’; the effect could be either positive or negative. (ISO does not provide a definition of uncertainty in this context. There are several dictionary definitions, few of which work in this context, but the one in Wikipedia is useful: “Uncertainty is a potential, unpredictable, and uncontrollable outcome.” That is consistent with my preference for talking about ‘what might happen’.)

We could use the ISO language, but is that useful when people generally see risk as bad?

 

If we can’t agree on what the terms risk and opportunity mean, how can we have a constructive conversation?

 

What does real life have to tell us?

 

Let’s take the fairly simple example of a CEO starting his day.

He is thinking about the problem that came up late the previous evening and how he should spend his morning.

His current schedule starts at 9:30 am with a 2 hour final review and approval of the company’s next generation product. The project leaders and his key direct reports are meeting in his conference room to confirm that it is on track for timely and quality completion. The product is essential to the success of the company over the next couple of years, especially as its competitors are likely to release similar products at about the same time as the company. A delay or functionality failure would be a disaster.

But, last night the CFO sent him an email with the updated forecast for the 4th quarter (Q4) and full year. Apparently, the company is expected to miss both the Q4 and annual revenue numbers (which he had shared with the analysts only a month earlier) by as much as $10 million. The CEO knows that will disappoint the market and the company’s share price will drop. In addition, his customers will see the shortfall and question whether they should move all or part of their business to a competitor that reports revenue and market share growth.

He knows he needs to understand the situation better. A meeting with both the CFO and the head of sales is needed, so he texts them both and asks that they meet in his office at 8 am.

The CEO is also thinking about what could be done to salvage the situation. He remembers that when he last talked to the head of sales, several large deals were being pursued. Perhaps he could visit a few of those customers; his presence and ability to make a deal might either increase the size of a deal or accelerate one from Q1 of next year into Q4.

The 8am meeting sheds some light on the current situation. His questions elicit:

  • The CFO and head of sales believe there is only a 70% likelihood of achieving revenue goals.
  • There are several deals that are being negotiated, each with a different likelihood of success. Overall, the head of sales says that:
    • There’s a 15% chance that they will miss by $5 million or so. The CFO and CEO agree that this will disappoint the market and the share price will drop temporarily. A good Q1 could bring it back.
    • They could miss by $10 million or even more, and that is also 15% likely. The CFO and CEO deem that unacceptable as the share price would drop substantially and it could be several quarters before it recovered.
    • If the CEO joined him to visit three major customers, including one that afternoon, there is a good possibility that they will be able to bring some large deals to a close in Q4 and hit their numbers. The head of sales believes that the likelihood of hitting the numbers (or better) would increase to 90%, and the possibility of a $10 million miss would drop to only a few percent. The CEO would have to leave the office by 10 am as the customer is a 2 hour drive away.
  • The CFO advises that he should warn the market of the possibility of missing the previously announced numbers by the end of the week (just a few days away) – unless the forecast changes before then.

 

It is decision time for the CEO.

If he stays with the current schedule, the likelihood of missing the revenue numbers is unacceptable. The board will expect him to act, as long as he doesn’t offer a massive discount to close deals at the cost of Q1 results. In addition, large discounts would set expectations for similar discounts in the future.

But, if he postpones the project review he might avoid the revenue failure.

But, again, if he postpones the project review for a week while he chases revenue, there’s a chance (which he estimates at 20%) that it’s going in the wrong direction and it would take enormous efforts to bring it back.

On reflection, he changes his gloomy estimate from 20% to 5%, because it would only be a week’s delay and he should be able to catch any major defects before they turn into disasters.

 

So, he has to weigh all the possibilities and make an informed and intelligent decision.

 

He decides to ask his COO to lead the project review while he visits as many major customers as he can before the end of the week.

Both good and bad consequences may flow from this decision.

 

Do we call the good ‘opportunities’ and the bad ‘risks’? Should we call all the potential effects ‘risks’?

Certainly, one is not (IMHO) the flip side of the other.

It’s not as if you either have either a risk or an opportunity, a good or a bad potential effect. The decision will have both.

 

I don’t care what you call them as long as you recognize that the potential effects of uncertainty can be positive, negative, or (most likely) both.

 

I welcome your comments, good and bad.

Hyperventilating about cyber – Part 2

January 27, 2019 2 comments

Today, I am going to share an excerpt from a draft of my upcoming book, Making Business Sense of Technology Risk.

I welcome your comments and feedback.

 

============================================================================

Is the level of concern about cyber merited? Should organizations and individuals be as worried about the possibility and consequences of a breach as they are advised by the consultants, information security pundits, and in news reports?

anxiety

The answer is “it depends”.

The potential for harm is not the same for every organization, in every nation, and in every industry sector.

For example, when I was with Tosco Corporation as head of internal audit, I was worried about the possibility that a hacker might breach our cyber walls and get to the control system in one or more of our refineries’ process units. Whether by accident or on purpose, they could change pressure or temperature settings and cause a fire or explosion that would likely kill or severely injure a number of employees.

But gaining access to our corporate systems was much less of a concern. They might disrupt our business for a while, but any consequences of the breach would not be of a magnitude that would cause the organization to fail.

After Tosco, I joined Solectron Corporation. This was a contract manufacturer of electronic equipment such as phones, servers, laptops, telecommunications equipment and so on. While a breach would be annoying and disruptive, I cannot think of a scenario where it would cause the company to fail.

From Solectron, I went to Maxtor Corp. (the leading manufacturer of hard drives) and Business Objects (the leader in business analytics software). Both had intellectual property such as product design that gave them a technological lead in their markets. The theft of that intellectual property would be serious and could erode their advantageous market position and, eventually, market share and profits. Such consequences were of serious concern.

 

My advice is to focus less on how a breach might happen (after all, there are usually a number of vulnerabilities) and more on the potential consequences. In other words, don’t worry (yet) about which vulnerabilities might exist and be exploited. The effect may be the same whichever vulnerability the hackers exploited.

There will be a range of possible consequences, each with a different likelihood.

The next step is to work with business management to assess the effect on the business and the achievement of objectives. That is, in my opinion, the best way to determine the potential severity of a breach.

It is now possible to develop a chart that shows the range of potential breach consequences (the effect of a breach on the business) and the likelihoods of each level of consequence.

Management should consider whether there is an unacceptable likelihood that a breach could cause severe harm, to the point where the organization would fail to achieve its objectives.

There is always a theoretical possibility of a dire consequence. The question is whether the likelihood is so great that immediate action is required – and resources diverted from other business investments.

At the lower end of the range of consequences lie effects that would not cripple the business. But management should still consider whether there is too high a possibility of what some would call ‘death by a thousand cuts,’ where disruptions are so frequent that the likelihood of achieving objectives is severely affected.

But that is not enough.

Business objectives may be subject to multiple technology-related sources of risk and other business risks as well.

In order for executives and business leaders to make intelligent and informed decisions, they need to understand all the sources of risk.

Those responsible for assessing and communicating cyber risk need to work collaboratively with those handling other sources of risk to ensure decision-makers are provided the actionable information they need.

 

When looking at the big picture, is the likelihood of achieving enterprise objectives at an acceptable level? Is there an unacceptable likelihood of severe harm?

If so, drill down to the sources of risk that underlie the assessment. Analysis should be performed to determine where changes should be made (which may or may not relate to cyber). It all depends on the degree that the level of risk can be changed, the certainty of that result, and the related cost.

If the decision is made that the level of cyber risk needs to be changed, this is where I would consider all the vulnerabilities and the options for improving defense, detection, and response.

I would not pour resources into cyber simply on principle (somebody assesses the risk as high) where it not justified on business grounds.

 

It is important to understand what leaders need if you are to provide them with the information necessary for quality decisions. My advice is to give them both the big picture and the detail, and then they can work with the practitioner to refine reporting and communications.

Hyperventilating about cyber – Part I

January 20, 2019 3 comments

It’s hard to see a survey these days that doesn’t include cyber as one of the top risks faced by organizations around the world.

But should it be?

Are we hyperventilating unnecessarily? Or is the risk so severe that such a reaction is justified?

anxiety

This is the first of two posts I plan on the topic. This one will talk about the effect of breaches on consumers, and then I will move on to corporations and my advice to risk and cyber professionals.

 

Over the last decade or so, I have traveled all over the world, sometimes on vacation but also to speak at conferences and lead training sessions.

While my preference is for the Hilton family of hotels (simply because I have more status with them), I have also stayed frequently at Marriott, Sheraton, and other properties.

So when Marriott announced a massive cyber breach in November, I wondered how it would affect me personally.

The first thing I noticed was that while this was announced as a Marriott breach in the news (such as on NBC), the report didn’t make it clear that it only related to stays at hotels like the Sheraton and the Westin. NBC references Starwood, but not everybody knows which hotels are included in the Starwood family.

So what was stolen?

A January update by Marriott provided a little clarity:

  • The breach relates to stays at Starwood properties (not Marriots) since 2014.
  • The number of guests whose records were stolen is unclear. All we know at this point is that it is less than 383 million.
  • While 25.55 million passport numbers were stolen, all but 5.25 million were encrypted and the encryption appears to be secure.
  • 6 million credit card (referred to as payment card) records were stolen, but as of September 2018 only 354,000 cards had not expired. All the data were encrypted.
  • In addition to credit card and passport information, the hackers copied names, addresses, email addresses, phone numbers, and reservation dates.

What could that mean to me?

My information might be included, but I cannot see this as something of great concern.

What could the hackers do with it?

Not much.

The FTC has a useful piece of advice, which I recommend. But I already have my credit rating monitored, alerts on each of my credit and bank accounts for unusual activity, and don’t think I need to do more.

I cannot see how my passport number can be used to cause me harm. I don’t need to get a new one.

Certainly, the breach will cost Marriott (more in the second post). Lawsuits have already been filed (including this one), even though there is little evidence of harm to guests (IMHO).

My breath is normal. How is yours?

 

Questions:

  1. Am I missing something? Can hackers misuse my passport number and stay information?
  2. Is this something I should be hyperventilating about?

Making intelligent decisions that consider cyber risk

January 15, 2019 8 comments

Last month, I said People don’t know how to assess cyber risk.

I quoted from a McKinsey report (my highlights):

  • Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). The reports are often poorly structured, however, with inconsistent and usually too-high levels of detail.
  • Most reporting fails to convey the implications of risk levels for business Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.
  • At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”

Osterman Research published the results of a survey of board members in 2016. They concluded (my highlights):

  • 85% of board members believe that IT and security executives need to improve the way they report to the board.
  • 59% say that one or more IT security executive will lose their job as a result of failing to provide useful, actionable information.
  • 54% agree or strongly agree that reports are too technical.
  • Only 33% of IT and security executives believe the board comprehends the cyber security information provided to them.

Why is that?

I believe it’s because most reports are either a list of risks or a list of prioritized information assets (produced by following guidance from ISO, NIST, or FAIR).

A list of risks may be technically sound.

But is such a list actionable information?

Does it help boards and executives make the quality strategic and tactical decisions necessary for enterprise success?

 

Protiviti recently shared the results of a CISO round table. Are the CISOs talking about changing the paradigm from managing a list of cyber risks to helping the organization’s leaders take the right level of risk and manage the business for success?

No. They continue to talk about their silos. Stories about breaches are interesting but may not relate to running the business to deliver value.

 

Executives need information that will help them decide how much to invest in cyber when those same resources could be applied to highly profitable investments in new technologies, product design, acquisitions, a marketing campaign, hiring, and so on.

They need to know the likelihood of a breach that would result in their failing to achieve their objectives as an organization.

 

CISOs and consultants complain that boards don’t understand cyber and information security.

It’s true: they don’t.

Why should they learn the language of cyber? They can’t be experts in everything, including not only cyber but financial management, hedging, marketing, product design and development, and so on.

No. Those charged with managing cyber have to learn how to communicate their concerns in the language of the business instead of asking board members and top executives to learn technobabble.

Even there was a member of the board that talked technobabble, cyber risk still needs to be translated into common business language so that everybody can see the big picture.

Cyber is just one of many sources of risk to enterprise objectives, and business decisions should be made based on reliable information and a view of the big picture, one that includes all the related risks.

 

My advice for CIOs, CISOs, and CROs:

  • Take each of the organization’s strategic objectives, such as “revenue growth of 10%”
  • Consider how a breach might affect each objective
  • What is the magnitude of breach, what would have to happen, for there to be a significant effect on the achievement of one or more objectives – an effect that would be considered unacceptable by leadership?
  • How likely is that?
  • Communicate that information to leadership, but first work with those responsible for reporting overall risk to objectives and integrate cyber risk into their reporting
  • Help the board and top management understand whether cyber-related risk, together with other sources of business risk, means there is an unacceptable likelihood of failing to achieve enterprise objectives
  • Help leaders decide how to respond when the overall risk is unacceptable (i.e., the likelihood of success is lower than desired)
  • In other words, help them manage the business rather than a list of risks or information assets

 

I welcome your thoughts.