Showing posts with label Risk Mitigation. Show all posts
Showing posts with label Risk Mitigation. Show all posts

August 3, 2012

FOIA Making Us Stronger

To commemorate 46 years since the Freedom of Information Act (FOIA) was passed on July 4, 1966, the Project on Government Oversight (POGO) came out with a infographic showing the significant progress that has been made in government transparency and areas they still see for possible improvement. 

Similarly, Government Executive Magazine ran an feature article in June 2012 called "The Truth Behind Transparency," calling progress with open government as "tough to gauge."

The basic idea of FOIA as the website for Sunshine Week put it is: "the public's right to know about its government."

Obviously, as GovExec points out, one of the main questions over the years with FOIA is "how quickly and fully do agencies respond to FOIA requests?"

To much and too soon, and do you perhaps put at risk various sensitive information, jeopardizing elements of the functioning of government itself?

Too little and too late, and then is the opportunity for mismanagement, waste, fraud, and abuse simply an after fact?

As Beth Novek, former deputy chief technology officer for open government, described it, open government is a "shorthand for open innovation or the idea that working in a transparent, participatory, and collaborative fashion helps improve performance, inform decision-making, encourage entrepreneurship and solve problems more effectively."

Transparency can aid in accountability by shedding a light on leadership and its performance management. It can also be a great opportunity to bring new ideas and opinions to the fold, perhaps leading to better decisions and results, at the end of the day, for all. 

The challenge for government is to guard against any information risks to the safety and security of our nation.  

An informed nation, is a stronger nation--to me, it is a foundation of a government "of the people, by the people, for the people."

Government and the people working together, duly informed, to confront our toughest challenges and solve our greatest problems.


Share/Save/Bookmark

July 12, 2012

100% Burglar Proof--Tell Me Another One

So I saw this advertisement for a "100% burglar proof" system and I was just bewildered.

Does anyone really think we can be 100% sure of anything--let alone security?

Everyday thieves rob the safest banks, cyber criminals hack the most secure systems, and crooks break into the most secure sites.

Everything we do comes down to risk management--assessing and classifying risk, selecting controls to mitigate risk, and monitoring those for effectiveness and necessary modifications. 

For children, maybe things are basic black and white--it's simpler that way "good guys" and "bad guys" and so on, but for adults we know there are at least "50 shades of grey" and that means that there are no certainties in life--whether security, sure financial bets, or perfect opportunities--everything is a gamble in some respects. 

I remember someone once joked about even marriage being somewhat chancy, since "you never really know the person until you wake up with them in the morning every day."

With 20-20 hindsight, all the pundits seem brilliant, but only the prophets can predict the future with accuracy. 

As to any product or vendor that markets itself as having a 100% success rate, you better get yourself a money back guarantee on it, because you will definitely need it! ;-)

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

September 4, 2011

9/11 - A Lesson In Risky Business

Corresponding to the 10th anniversary of 9/11, Bloomberg BusinessWeek (5-11 Sept 2011) has a great article on risk management called The G-d Clause.

When insurers take out insurance--this is called reinsurance, and reinsurers are "on the hook for everything, for all the risks that stretch the limits of the imagination"--that's referred to as The G-d Clause--whatever the almighty can come up with, the "reinsurers are ultimately responsible for" paying for it.

And obviously, when insurers and reinsurers don't well imagine, forecast, and price for risky events--they end up losing money and potentially going out of business!

Well when it came to 9/11, insurers lost fairly big financially--to the tune of $23 billion (it is in fact, the 4th costliest disaster since 1970 after Japan's tsunami, earthquake and Fukushima nuclear disaster ($235B), and hurricanes Katrina ($72B) and Andrew ($25B) in the U.S.)

Even Lloyd's "that invented the modern profession of insurance [and] publishes a yearly list of what it calls 'Realistic Disaster Scenarios,'" and while they had imagined 2 airlines colliding over a city, even they failed to anticipate the events of September 11, 2001.

According to the article, even insurers that make their living forecasting risks, "can get complacent."

And the psychology of the here and now, where "people measure against the perceived reality around them and not against the possible futures" is the danger we face in terms of being unprepared for the catastrophic events that await, but are not foretold.

In a sense, this is like enterprise architecture on steroids, where we know our "as-is" situation today and we try to project our "to-be" scenario of the future; if our projection is to far off the mark, then we risk either failing at our mission and/or losing money, market share, or competitive advantage.
The ability to envision future scenarios, balancing reality and imagination, is critical to predict, preempt, prepare, and manage the risks we face.

Post 9/11, despite the stand-up of a sizable and impressive Department of Homeland Security, I believe that our achilles heel is that we continue to not be imaginative enough--and that is our greatest risk.

For example, while on one hand, we know of the dangers of weapons of mass destruction--including nuclear, chemical, biological, and radiological devices--as well as new cyber weapons that can threaten us; on the other hand, we have trouble imagining and therefore genuinely preparing for their actual use.

Perhaps, it is too frightening emotionally or we have trouble coping practically--but in either case, the real question is are we continuing to proceed without adequate risk-loss mitigation strategies for the future scenarios we are up against?

Frankly, living in the suburbs of our nations capital, I am fearful at what may await us, when something as basic as our power regularly goes out, when we get just a moderate rain storm in this area. How would we do in a real catastrophe?

In my mind, I continue to wonder what will happen to us, if we proceed without taking to heart the serious threats against us--then the tragic events of 9/11 will have unfortunately been lost on another generation.

Like with the reinsurers, if we do not open our minds to perceive the catastrophic possibilities and probabilities, then the risky business that we are in, may continue to surprise and cost us.

(All opinions my own)

(Source Photo: here)

Share/Save/Bookmark

May 25, 2011

Apples or Oranges

There are lots of biases that can get in the way of sound decision-making.

An very good article in Harvard Business Review (June 2011) called "Before You Make That Big Decision" identifies a dozen of these biases that can throw leaders off course.

What I liked about this article is how it organized the subject into a schema for interrogating an issue to get to better decision-making.

Here are some of the major biases that leaders need to be aware of and inquire about when they are presented with an investment proposal:


1) Motivation Errors--do the people presenting a proposal have a self-interest in the outcome?

2) Groupthink--are dissenting opinions being actively solicited and fairly evaluated?

3) Salient Analogies--are analogies and examples being used really comparable?

4) Confirmation Bias--has other viable alternatives been duly considered?

5) Availability Bias--has all relevant information been considered?

6) Anchoring Bias--can the numbers be substantiated (i.e. where did they come from)?

7) Halo Effect--is success from one area automatically being translated to another?

8) Planning Fallacy--is the business case overly optimistic?

9) Disaster Neglect--is the worst-case scenario imagined really the worst?

10) Loss Aversion--is the team being overly cautious, conservative, and unimaginative?

11) Affect Heuristic--are we exaggerating or emphasizing the benefits and minimizing the risks?

12) Sunk-Cost Fallacy--are we basing future decision-making on past costs that have already been incurred and cannot be recovered?

To counter these biases, here are my top 10 questions for getting past the b.s. (applying enterprise architecture and governance):

1) What is the business requirement--justification--and use cases for the proposal being presented?

2) How does the proposal align to the strategic plan and enterprise architecture?

3) What is return on investment and what is the basis for the projections?

4) What alternatives were considered and what are the pros and cons of each?

5) What are the best practices and fundamental research in this area?

6) What are the critical success factors?

7) What are the primary risks and planned mitigations for each?

8) What assumptions have been made?

9) What dissenting opinions were there?

10) Who else has been successful implementing this type of investment and what were the lessons learned?

While no one can remove every personal or organizational bias that exists from the decision-making equation, it is critical for leaders to do get beyond the superficial to the "meat and potatoes" of the issues.

This can be accomplished by leaders interrogating the issues themselves and as well as by establishing appropriate functional governance boards with diverse personnel to fully vet the issues, solve problems, and move the organizations toward a decision and execution.
Whether the decision is apples or oranges, the wise leader gets beyond the peel.

Share/Save/Bookmark

August 21, 2009

Taking the Politics out of Enterprise Decision Making

Some people say power is primarily exerted through military might (“hard power”), others says it is through use of diplomacy—communications, economic assistance, and investing in the global good (“soft power”). Then, there is a new concept of employing the optimal mix of military might and diplomacy (“smart power”).

It’s interesting to me how the Department of Defense—military approach—and the Department of State—diplomatic approach—is as much alive and well in our enterprises as it is in the sphere of world politics to get what we want.

At work, for example, people vie—some more diplomatically and some more belligerently—for resources and influence to advance their agendas, programs, projects, and people. This is symptomatic of the organizational and functional silos that continue to predominate in our organizations. And as in the world of politics, there are often winners and losers, rather than winners and winners. Those who are the “experts” in the arts of diplomacy and war (i.e. in getting what they want) get the spoils, but often at the expense of what may be good for the organization as a whole.

Instead of power politics (hard, soft, or smart), organizations need to move to more deliberate, structured, and objective governance mechanisms. Good governance is defined more by quantifiable measures than by qualitative conjecture. Sound governance is driven by return on investment, risk mitigation, strategic business alignment, and technical compliance rather than I need, want, like, feel, and so forth. Facts need to rule over fiction. Governance should not be a game of power politics.

Henry Mintzberg, the well-known management scholar, identified three mechanisms for managers to exert influence in the organization (Wall Street Journal, 17 August 2009):

1. Managing action—“managers manage actions directly. They fight fires. They manage projects. They negotiate contracts.” They get things done.

2. Managing people—“managers deal with people who take the action, so thy motivate them and they build teams and they enhance the culture and train them and do things to get people to take more effective actions.”

3. Managing information—“managers manage information to drive people to tale action—through budgets and objectives and delegating tasks and designing organization structure.”

It is in the third item—managing information—that we have the choice of building sincere business cases and creating a genuine call to action or to devolve into power politics, exerting hard, soft, and smart influence to get what we want, when we want it, and how we want it.

When information is managed through the exertion of power, it can be skewed and distorted. Information can be manipulated, exaggerated, or even buried. Therefore, it is imperative to build governance mechanisms that set a level playing field for capturing, creating, calculating, and complying with a set of objective parameters that can be analyzed and evaluated in more absolute terms.

When we can develop decision support systems and governance mechanisms that take the gut, intuition, politics, and subjective management whim out of the process, we will make better and more productive decisions for the enterprise.


Share/Save/Bookmark