Cyber and reputation risk are dominoes

February 18, 2017 12 comments

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.


A case study:

  • There is a possibility that the manager in HR that recruits IT specialists leaves.
  • The position is open for three months before an individual is hired.
  • An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
  • A system vulnerability remains open because there is nobody to apply a vendor’s patch.
  • A hacker obtains entry. CYBER RISK
  • The hacker steals personal information on thousands of customers.
  • The information is posted on the Internet.
  • Customers are alarmed. REPUTATION RISK
  • Sales drop.
  • The company fails to meet analyst expectations for earnings.
  • The price for the company’s shares drop 20%.
  • The CEO decides to slash budgets and headcounts by 10% across the board.
  • Individuals in Quality are laid off.
  • Materials are not thoroughly inspected.
  • Defective materials are used in production.
  • Scrap rates rise, but not all defective products are detected and some are shipped to customers.
  • Customers complain, return products and demand compensation. REPUTATION RISK
  • Sales drop, earnings targets are missed again, and …….
  • At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
  • The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
  • Multiple breaches are not detected. CYBER RISK
  • Hackers steal the company’s trade secrets.
  • Competitors acquire the trade secrets and are able to erode any edge the company may have.
  • The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
  • Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

The current state of risk management

February 11, 2017 35 comments

The Ponemon Institute, which I have previously referred to in my posts as the publisher of reports on cyber, recently shared the results of their survey on risk management.

The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management has some interesting content.

The results are disturbing, but unfortunately what I had anticipated.

It is important to note that the 641 who answered the survey were involved in risk management within their organization. So the results are skewed towards having some level of formalized risk management. In other words, they are better than the general population. It is also important to recognize that most of the respondents are IT folk and some of the questions reflect the author’s IT orientation as opposed to a general business one.

The report, as so many, has to define risk management in its own way. But, frankly, it’s not bad. They break it down into risk management and risk intelligence.

In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management.

We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use realtime information and forward-looking risk concepts and tools to maximize business performance.

Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. They don’t define what they mean by a risk management strategy, so I can’t comment further.

But this is key.

“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”

I have to wonder whether the business leaders would agree with that assessment by the risk practitioners!

This adds fuel to that fire.

“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53 percent of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8 percent of respondents say these functions fully collaborate in enterprise risk management activities.”

A lack of resources and an inadequate budget are identified as barriers.

But here is the key question.

If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?

This is demonstrable when “30 percent of respondents say no one person has overall responsibility to ensure the risk management program is well executed”.

The Appendix contains some valuable pieces of information. Here are two:

  • Only 32% say their organization has a very significant commitment to enterprise risk management.
  • On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.

So what do we make of this?

Let’s start with some unpleasant facts!

  1. Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
  2. If they saw risk management as helping them make better decisions, you can bet they would invest in it!
  3. They can be persuaded, not by words but by action.
  4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
  5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
  6. The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
  7. Satisfying the board but not top management is not a recipe for long-term success.
  8. The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.

I welcome your comments.

When an acceptable level of risk is not acceptable

February 4, 2017 13 comments

We are used to identifying a risk, analyzing the potential consequences and their likelihood, and then establishing a ‘risk level’. We evaluate whether the level of risk is acceptable or not, based on risk appetite, risk criteria, or the like.

But is that sufficient?

Let’s imagine we are planning a trip from our home in Paris to Lyon. The plan is to take a taxi to the train station and then a fast train to Lyon. An uncle will meet the train and bring us to his home, where we will spend a few days.

You and your spouse assess the risks.

There’s a possibility that either of you or the kids will get sick. You assess that risk as low but will monitor it as the date gets closer.

Strikes in Paris are always a possibility and you are vulnerable to either a taxi or train strike. In addition, if the Metro workers go on strike finding a taxi will be hard. Again, you accept the risk but agree to monitor it.

Other risks include the possibility that your uncle or members of his family will be sick, or that either you or your spouse will be called into work to handle an emergency.

Overall, though, the risks are each assessed as low but need to be watched.

The week before the trip, two of your children start to show the symptoms of a bad cold. You are at home looking after them and have to make a decision. Will there be time to treat them so that it’s ok to travel rather than stay home? You decide that more likely than not they will recover in time and the risk is acceptable.

But meantime, your spouse is hearing from a manager that there’s a decent chance (maybe 30%) that a potential major deal will close in a couple of days. If that happens, you will need to cancel the vacation. Your spouse decides that the risk is acceptable.

That evening, you get together and share your assessments of the individual risks.

While each may be acceptable individually, the combination troubles you. You decide to check the weather and see that there’s a 30% chance of rain in Lyon for each of the days you will be there.

Overall, you decide it is better to cancel. The overall situation is not to your liking. You are not going to take the risk.

The same thing can happen with a business situation.

If your company is considering opening an office in Japan, you might identify a number of risks such as:

  • Inability to hire Japanese-speaking employees with the experience and contacts necessary to make the new office a success
  • The ‘stickiness’ of Japanese companies when it comes to being open to buying products from you rather than their traditional Japanese vendors
  • The ability to deliver products to the Japanese market, given the long supply chain from your factories in Europe
  • The level of competition from your competitors, including the possibility of their lowering prices to keep you out
  • Your unfamiliarity with Japanese customs and regulations, leading to potential compliance risk
  • The increase in cyber risk from extending the network into Japan, especially as you expect the staff there to need Japanese language cloud-based systems
  • The additional cost of providing materials in the Japanese language
  • The ability to find warehouses with the necessary conditions to support sales in Japan

Each of these might be assessed separately, perhaps by different teams.

While each may seem to be individually acceptable, it is possible that the aggregate effect is such that there’s an unacceptable level of risk of failure.

Why is this important?

A risk register or heat map that focuses on individual risks does not easily support business decisions like this.

Your thoughts? How do you address this?

Are you helping decision-makers understand the

How to mess up your risk management program

January 28, 2017 12 comments

My friend and sometime colleague Rick Steinberg has penned an amusing but spot-on piece that was recently published in Compliance Week.

Ten simple ways to manage risk … or not is a quick way to test whether you have an adult’s or a child’s risk management program.

Does your risk management activity ‘check the box’, or does it help the organization succeed by making more intelligent and informed decisions?

Tell me what you think of Rick’s ten. Here are some of my own, in addition to his excellent ones:

  • Be satisfied with the periodic review of a list of risks
  • Separate the discussions of strategy, performance, and risk
  • Ignore the fact that risk is created or modified with every decision
  • Don’t question how people make decisions, whether they do so in a disciplined manner that considers what might happen
  • Believe that an enterprise risk appetite statement drives decisions and risk-taking at all levels of the extended enterprise
  • Fail to assess the reliability of your risk management practices

Let me expand on the latter, a principal theme of World-Class Risk Management.

If you follow the principle that you set objectives, identify risks to those objectives, then ensure that there are measures in place to provide reasonable assurance that the objectives will be met, then we have objectives for risk management. They include:

  • Identify the more significant risks to the achievement of enterprise objectives
  • Analyze the risks to determine their potential effects (consequences) and the likelihood of those consequences
  • Evaluate the risks (individually and in aggregate) to each objective and determine whether they are acceptable
  • Respond when the risks are at unacceptable levels
  • Monitor the condition of controls to ensure that the likelihood and extent of a failure in controls continues to be at acceptable levels
  • Communicate risk information to all who need it, when and how they need it
  • Manage all of the above at the speed of risk

There are risks to the achievement of these objectives. In the book, I reference a number of sources of risk, such as:

  • Unreliable information
  • Failing to involve all the necessary people
  • Failing to communicate to decision-makers guidance that will help them take the right level of the right risks
  • And many more

Few self-assess their risk management program. Where internal audit assess it, I believe they focus more often on compliance with policy than with the level of risk that risk management will fail.

So, let me leave you with a couple of questions.

  1. What other signs are there that you have messed up your risk management program?
  2. Have you defined the objectives of your risk management activity, identified and assessed the risks to their achievement, and reported your assessment to executive management and the board?


The value of a risk register

January 21, 2017 52 comments

A risk register makes you feel good.

It makes you feel you have accomplished something, a list of risks that might cause harm to the organization.

It makes the executive team and the board feel that they can check the box: “do you have a risk management program? Yes.”

But, does that risk register help people formulate and then execute the right strategies for the organization to deliver optimal value?

Does it help people at all levels of the organization make informed and intelligent decisions?

In fact, does it do more harm than good? Does it give the false impression that risk to organizational objectives is managed at acceptable levels, when in fact decisions are made daily that do not give appropriate consideration to “what might happen”?

I did a small consulting project for an organization recently that wanted to improve its risk management. I pointed out that their annual filing with the SEC had 13 pages of risk factors. I asked whether they were used to enable better decision-making. The answer was a bunch of smiles. Frankly, I doubt that the executives present were even familiar with those 13 pages.

As I suggested in Risk in the Fourth Dimension, we need to consider what we are trying to achieve and why.

The purpose of risk management is not to produce or review a list of risks. It is to help the organization achieve its objectives by considering what might happen and acting to optimize outcomes.

What do the leaders and decision-makers of the organization need to be informed and successful?

Is it a list of risks?

Do risks remain static or are they dynamic?

In World-Class Risk Management I not only point out the need to manage the business at the speed of risk (I love the fact that others have adopted my phrase), which is dynamic, but that we need to consider the potential aggregate effect of risks on each corporate objective.

There are some risks that are transitory, such as those you consider when deciding which candidate to hire for an open position, and others that are continuing.

All you will see on a risk register (or for some a heat map, misleading as those charts are) are those that are expected to continue in some shape or form.

But even those continuing risks can change with surprising volatility, which is rarely indicated on a risk register.

A risk register or other form of list of risks does have some value, but it is limited.

I believe it is better to have a list of objectives and a continuing assessment of the likelihood they will be achieved.

That’s what matters. That’s why we need some form of risk management.

I ask again the question in Risk in the Fourth Dimension: are we just doing what we are told, as children, or are we figuring out how to help people make better decisions, as adults? That may be quite different from so-called traditional ERM, SRM, etc.

I welcome your comments.

Risk in the Fourth Dimension

January 15, 2017 12 comments

As a young boy, my family often spent our vacations at a hotel near Rimini, on the Adriatic coast of Italy.

The hotel owner had a six year old son. If I recall correctly, his name was Mario.

Mario only spoke a little English, which he had picked up from guests. But there was one word that he used all the time and which I recommend to you now.

The word, a magic word with amazing power, is “why”.

“Why are you going to the beach?” “Why do you want to swim?” “Why do you want a tan?”

Let’s think of the power of this word when it comes to risk and risk management.

For board members and executives, the question is “why should I spend my limited time on risk management? Do I do it only because it is expected or the regulators told us to do it?”

For risk practitioners, the question is “why should risk management be important to the organization and its leaders? Are its leaders only paying scant attention because it is expected or required for compliance with regulatory requirements? Why am I doing this; is it because my job is to help manage risk, or is it for some larger purpose?”

For internal auditors, the question might be “why should I assess risk management? Is it because that is what internal auditors are expected to do? Is it because it is ‘best practice’ or required by IIA Standards?”

I think these are all good questions that demand answers.

The answers are the key to unlocking the value of risk management.

The journey to the answer to the question ‘why’ starts with answering the question ‘what are we trying to achieve?’

We say that risk is about achieving objectives. So what are they? What are we trying to achieve?

We also say that risk management enables us to make more intelligent and informed decisions, and that making the right decisions is how we achieve our objectives.

So, every time we think we need to make a decision, we should ask “What are we trying to achieve?” followed by “Why are we making this decision?”

Now, we can start to think about what might happen (getting rid of the ‘r’ word, which only limits our thinking).

We can progress to additional questions, such as “Do I have all the information I need; am I involving the right people; how will my decision affect my and others’ objectives; what are the options; which is best; are any of the potential consequences of the decision unacceptable?” and so on.

But if you don’t have an answer to why you are making the decision and what you are trying to achieve, will you make the right decision?

For board members and executives, there has to be a rational and adult answer to “why should I care” and “why should I spend my time?”

As adults, we shouldn’t be doing things just because we are told to do them.

As children, when our mother told us to make the bed, did we do it well or just enough to get by?

If we were in the armed forces and the sergeant told us to make the bed, we probably made it better than was really needed for our comfort.

As adults, we make it (I hope) well enough to make the room look OK and our bed comfortable when we return to it.

As adults, we should manage risk because of its value to the organization, not because we are told to do it, because it is in the governance code, it is our job, or because of professional standards.

Understanding the value starts with “what are we trying to achieve?” on the journey to “why are we doing this?” and “what is the right decision?” The word ‘we’ includes us as individuals, as members of a team, but especially the interests of the organization as a whole.

Let’s take a specific risk management task, the report to the executives and the board.

Why do we do this, prepare and share the report?

What are we (the risk practitioner) trying to achieve?

What are they (the board and executives) trying to achieve?

Is this the right communication? Is it helping them achieve what they want to achieve?

Are we practicing risk management as children (doing what we are told or is expected) or as adults (doing so because it helps the organization and its leaders succeed)?

I welcome your comments.



PS – the title is stolen from the late Victor Mollo, author of two of my favorite bridge books, Bridge in the Menagerie and Bridge in the Fourth Dimension.



How much cyber risk should an organization take?

January 7, 2017 10 comments

I did a video with Joe McCafferty of MISTI last month. He wrote about it here, and you can find the video on YouTube.

I am interested in whether you share my views.

I also have some questions for you – after you watch the video:

  1. Should we be measuring cyber risk in relation to the potential effect of a breach on business objectives? Or should it be based on the effect on information assets?
  2. Do we know how to assess the level of risk?
  3. Are we doing a good job knowing how much risk we need to take to achieve our objectives? In other words, are we excessively risk averse or embracing of risk – and do we really know whether we are making the right business decision?
  4. Does it all come down to ROI, the cost and the value of additional investment in cyber prevention, detection, response, and remediation?
  5. Are we hyperventilating about cyber when there are more important risks to address?

I welcome your comments and answers.