Paradigm Shift International USA-505-586-1536 |
Essay |
Home | Library | Corp Info | Press |
What's New?
|
(pdf version) |
Enterprise
Agility—Is Risk Management Plain and
simple, the value proposition for enterprise agility is rooted firmly in
risk management. The purpose of agility is to maintain both reactive and
proactive response options in the face of uncertainty. We explore
the value proposition in terms of enterprise
risk management (ERM)—with
an important twist. Current ERM extends standard risk management
strategies to a larger set of business risks, notably those of operations
and project decisions—but
generally focused on risk analysis as it affects available choices. Half
the story. The other half of risk management
is to proactively increase the choice options with lower risk
alternatives. Precisely the purpose of agility. CFO
Magazine1,
cited Seminole Electric Cooperative as an early adopter of ERM. "We
needed to create a broad list of risks facing the company, not just the
risks that executive staff had cited, but risks perceived by executives
across all corporate lines," says John Geeraerts, Seminole's
financial services VP. They boiled an initial 60 defined risks down to a
forced top five. "Number one was electrical-generation capacity—the
loss of a generating plant due to an unplanned or forced outage. The
company evaluated factors such as tornadoes and terrorist incidents that
would disrupt power supply or cause a unit to go down. The second-highest
risk was loss of market, a concern given Seminole's status as a
cooperative. [The next three were] the need to have an optimum mix of
power resources to serve customers, fuel price volatility, and regulatory
risks, such as the impact of potentially stricter environmental
standards." Mitigation was then considered. "For fuel price
volatility, the option is a fuel hedging program; for the loss of power
lines, the option is insurance; for the risk of terrorism, the option is
elevating our security officer to senior staff level," notes
Geeraerts." Given the focus on security today, I expect this was more
than a simple title change. Economist Frank J. Bernhard, interviewed by CSO (Chief Security Officer) Magazine
describes the difference between economic risk and business risk:
"Economic risk can involve things like supply-and-demand conditions
or geopolitical events. Business risk extends to the outcome of not
getting investors. Or losing customers. Or the failure of a product or
service2." CIO
Magazine3 ran an excellent article on ERM—as a business process, not as a
buzzword software package. Many, but not all, of the values and examples
they cite are related to making better corporate and departmental IT
project decisions. But then, decisions about IT infrastructure and
business process support affect the entire organization, with major
operational impact—especially if they fail to perform as
and when expected. Scott Berinato, writing in CIO on ERM and its relationship to
IT, says: "The
reason these risks are suddenly being accounted for is because the systems
are becoming ever more critical. Today, one bad IT decision can severely
hamper—or even take down—a company. " The
ERM-Agility Connection Is Made Rockwell-Collins, an aerospace company, is cited by CIO
Magazine as an early adopter of ERM decision-making procedures. According
to the magazine, even though they lost 20% of their revenue generation
capabilities as a result of 9/11, yet ... "The company has turned a
profit every single quarter after 9/11. And in January 2004, Forbes
called Rockwell Collins the best-managed aerospace firm in America...
'We're able to react [to that complex environment] because of our risk
mind-set,' says [CIO John-Paul] Besong. 'With what happened to us, our agility was called to task. And we had the risk methodology in place
to handle it.'" When I worked with them during the nineties we
didn't associate our agility work with enterprise risk management. They
have clearly made the connection since. Energy
sourcing, disaster planning, customer credit, cash flow protection, and
security are commonly practiced forms of risk management. Less common are
the potential impacts of new business processes, IT infrastructure and
applications, outsourcing, and growing electronic automation and
networking, to name some. Agility
expands the options for response when unpredictable events occur; by
reducing the cost of response, the time of response, the predictability of
response, and the range of response. It does this principally through
infrastructure, systems, and business processes that are structured for response
ability—explored
later in this continuing series. And, as will be shown, it is not
necessary to reengineer massively or disruptively to gain benefits—because the very nature of agile
structuring supports graceful, incremental migration. Agility is, after
all, about effective change management. Security Risk Management Energy
sourcing aside, the biggest risk management activity is associated with
security, as every employee is involved to some extent. The Department of
Homeland Security, spurred by 9/11, looks at the Energy and Utility sector
as part of the critical national infrastructure, and is concerned about
any security breach that can affect service, not just acts of terror.
Staggering increases in email and Internet born worms and viruses have
elevated the focus as well. Now organized identity theft from customer
databases has escalated, with liability on the company that owns the
database. And of course now Sarbanes-Oxley, with its various vagaries
about what will really be audited and who will really be held responsible
in post-event auditing. Security
technology and its deployment is clearly not keeping up with the
escalation of threat and exploitation. Waiting for magically superior and
affordable technical solutions may well be one of those Sarbanes-Oxley
gotchas—especially if
internal security strategy, composed of policy, procedure, and practice,
is found wanting. Security strategy is a business process, distributed as it may be. The
technology portion of this strategy is at the mercy of policy, procedure,
and practice—which are
people-based systems. Peopled systems in business environments are
subject to human behaviors and organizational behaviors, neither of which
is effectively constrained by compliance to policy and procedure, or
consistency of practice. Both people and organizations can be whimsical,
willful, vengeful, criminal, forgetful, distracted, expedient, unknowing,
and otherwise act outside of what they ought
to do. Security risk reduction is not insured by technology; it
is only partially enabled. Policy, procedure, and practice reign—precisely where reality bites. Even good policy, procedure, and practice, written in the corporate book,
runs up against the realities of organizational, human, and environmental
behaviors. Let's look at reality. Reality Issues
Affecting Security Strategy The Enterprise
Risk Management—Integrated Framework4
from COSO (Committee of Sponsoring Organizations of the Treadway
Commission) contains the following caveat: "While enterprise risk
management provides important benefits, limitations exist. ...
limitations result from the realities that human judgment in decision
making can be faulty, decisions on responding to risk and establishing
controls need to consider the relative costs and benefits, breakdowns can
occur because of human failures such as simple errors or mistakes,
controls can be circumvented by collusion of two or more people, and
management has the ability to override enterprise risk management
decisions. These limitations
preclude a board and management from having absolute assurance as to
achievement of the entity’s objectives." These reality factors hurt
precisely because they are insufficiently recognized when would-be-agile
system and process requirements are established. If they are understood
for what they are, and addressed with respect, they can be greatly
mitigated and sometimes precluded. Seven compromising areas of uncontrollable behavior have
been identified by The Agile Security Forum5 as a
Reality-Issues Framework. They basically stem from forces so natural and
dominant that rules and penalties cannot alter their influence
effectively. Keeping the Forum's same seven reality-factor areas, I've
couched the framework in Utility specific issues here: 1 - Increasing pace of new-technology
- Upgrading and replacing the IT infrastructure and applications at
Utilities is necessary for acceptable-practice parity, and increasingly
demanded by regulatory bodies for cost containment and improved customer
service. Yet we see new vulnerabilities in legacy systems still
being discovered and exploited. Newer technology brings new and different
vulnerabilities—that's what new technology does. Decreasing technology life
cycles and increasing technology variety amplifies the situation. The
historical record is undeniable. 2 - Increasing complexity of systems
- The march is on in the Utility sector for better integration of systems
that support operations. Likewise for more network reach: network node
count is growing and networks are interconnecting on larger scales with
more sophistication. The complexity of software systems alone have
long passed our abilities for analytical predictability. Networked
business operations overlaid with a networked global community have added
new combinatorics and complexity. We cannot predict with any assurance at
all the results of a system change, no matter how small. Companies merge
and race to interconnect; they upgrade, replace, and add new technology
continuously; competition and opportunity drives evolving customer and
supplier interfaces; and business operations are fragmenting and
distributing business processes globally. The law of unintended
consequences expresses itself naturally in complex systems under change—and is irrefutable. 3 - Creeping agile-business practices
- Whether a Utility considers itself agile or not, it cannot avoid
outsourcing imperatives for IT, billing, call-centers, and other business
processes; nor electronic response-enhancing interconnects with energy
suppliers, energy brokers, co-generators, demand-response customers,
automated meter reading, SCADA (supervisory control and data acquisition)
field assets, and wireless-linked field personnel. These alone don't
constitute an agile enterprise strategy, but they are, nevertheless, part
of today's business strategy, driven by needs for better
spot-responsiveness. You can't escape it, yet each move brings new and
greater security vulnerability. 4 - Increasing globalization - Not a regional game anymore, Utilities are outsourcing business
processes off-shore, buying energy off-shore, and merging
multi-nationally. Globalization brings more interconnected business
operations—and with it, different ethics,
different values, different perceptions of risk, different interconnected
technology, and different nation-state interests. This means more sources
of vulnerability, at the least; but economics and growth-pursuits will not
be denied, in any event. 5 - Natural human behavior - Security impacts individual productivity and goal priorities. In so
doing, it is often ignored or circumvented in actual daily decision making
and practice. We humans are wired the way we are. We make decisions
every day, all day long—as IT system administrators, as policy makers, as procedure
followers, as users in all departments at all levels, and even as
disgruntled employees. Our perceptions of what is right or expedient are
biased by hopes and expectations, as well as the latest alligator that
influences our immediate priorities and values. We are the source of human
error. On top of all of this, we are whimsical. Rules are made to be
broken, and they are, in any event, made for others who are less wise than
we. Murphy's law is not a joke. And all of this just deals with people who
are trying to do the right thing. But the perverse also exist. Optimal
by-the-book actions and decisions do not and will not prevail anywhere. 6 - Natural organization behavior - Organizations are aggregates of natural human behaviors. On top of
that, they have a collective mind of their own. Security impacts
organizational productivity and goal priorities. In so doing, strategy is
typically designed and deployed inadequately. Among decision makers there
are inherent conflicts which remain unresolved, power politics and
positions that exert biased influence, and competing interests for limited
resources. Research shows that decision makers are ruled first by
individual rather than group objectives, mitigate conflict by compromising
greater values to achieve consensus, seek solutions that are acceptable
rather than optimal, and vary risk-seeking and risk-averse behavior with
economic conditions. Shown in my book on decision making reality6,
neither local optimality (within a company or department) nor
global valuation (for the greater community or the company) are standard
characteristics of organizational decision making and behavior. It won't
be changed—it's
the nature of the beast. 7 - An agile attack community - Ashby's Law of Requisite Variety
demands that a response system be at least as agile as the environment
that creates the need for response. Scourge technology has advanced
to the point where we now refer to zero-hour attacks for the time it takes
from release to massive Internet presence. Meanwhile the increasing
sophistication of attack development and tool technologies has already
reduced the time between vulnerability discovery and exploitation to mere
days. Infected machines and public distribution of attack tools mobilizes
massive resources quickly. Large scale grass-roots retaliation occurs when
independent personal reactions weigh-in patriotically on national disputes
or indignantly target companies on the wrong side of a thought-community.
Amateur and professional alike benefit from this loosely-connected global
collaboration of independent resources. These developments are less than
three years old—more
are on their way. As more value is made more available for theft and
damage, the targets of opportunity become irresistible. Don't hear
all of that as gloom and doom. It is just a dose of reality. There are
ways to reduce risk even as these reality forces increase the pressure—but only if reality is confronted for what
it is, and the mitigation strategy is at least as agile as the forces it
faces. More will be said about how this is done at another time. How bad and where does reality bite now? You've read this far, so
maybe you're interested enough for some quick poll involvement. Click here
to answer eleven fast check-box questions. Results will be published when
100 responses are received...and likely influence future topic coverage. ----------------References: |
©2004 RKDove
- Attributed Copies Permitted - Essay #66 -
First Published as Utility Agility - Is Risk Management - Part 3, IssueAlert® |
Would you like to offer some thoughts or add to the dialog? Your sending of a comment automatically grants us permission to edit and post at our discretion. Send your comment to . |
========= Reply ========================= ========= Reply ========================= ========= Reply ========================= ========= Reply ========================= ========= Reply ========================= ========= Reply ========================= |
Home |
Library |