Scholarly Sharpshooters

College Students Fight to Carry Firearms

Students rally for their rights to carry firearms on campus. Picture Source

College students say they’ve had enough, and are ready to bear arms.

According to NPR, The recent fatal college injuries sustained in Illinois and Virginia, have prompted 12 states to consider legalizing handguns on college campuses. This and other related movements are being propelled in part, by the Students for Concealed Carry on Campus ( SCCC ). Stephen Feltoon, one of the organization’s directors says, “"The Illinois shooting made people realize college campuses aren't as safe as administrators would have them believe.”

Feltoon and company have a good case. They’re not asking for any special gun carrying privileges because they’re students. They would gladly follow all the normal state and federal laws that are required for wielding a firearm. In fact most of the members of the SCCC already have a license to carry a firearm. The restriction is with the college campuses – firearms are not allowed on the premises. Their argument is quite familiar. If you outlaw firearms on campus, then the only firearms on campus will be held by the outlaws.

• Do the colleges have a good control in prohibiting firearms on campus?
• Do the students have a good proposed control in allowing students to carry handguns on campus?
• Is there something better that should be considered?

Let’s analyze this using our familiar objective, risk, control framework, and see what we come with.

The objective in this case, is to have a safe, learning environment for our college students. This has always been the overriding goal of our institutions of higher education, and it seems until recently that the goal ( from a safety standpoint ) was relatively risk free. Until …

The risk of some nutcase student sneaking on campus with a firearm and opening fire suddenly appeared. If you’ll remember, risk equates to uncertainty, so actually this risk always existed. It seems recently however, that the probability that this risk event will occur has increased. Since the impact of this risk can be severe or fatal injuries, it needs more attention.

To parallel with an extreme, there is also a risk that a stray meteor will crash into the college. The impact will probably be even more devastating than our lunatic student mafia, however the probability is so remote, that the colleges probably have not invested in any equipment to monitor meteor impact, or organized any meteor collision evacuation procedures.

So to control this risk, the colleges have decided to prohibit firearms on campus. Also, the control proposed by the students, is to allow students to carry concealed firearms on campus.

When analyzing controls, it’s useful to use the dimensions of timing ( before and after the risk event occurs ), and cause / effect of the risk event. If we combine all the permutations, we can classify controls into four categories:

1. Corrective Control: A Corrective Control is a control that addresses the cause of the risk event, after the risk event occurs.
2. Adaptive Control: An Adaptive Control is a control that addresses the effect of the risk event, after the risk event occurs.
3. Preventative Control: A Preventative Control is a control that addresses the cause of the risk event, before the risk event occurs.
4. Contingent Control: A Contingent Control is a control that addresses the effect of the risk event, before the risk event occurs.

A useful example is that of a building on fire. Here are some options for controlling the risk that your building catches on fire:

1. Corrective Control: Fire Extinguisher. You are treating the cause ( fire ), and the risk event has already occurred.
2. Adaptive Control: Rebuild. The event ( fire ) has already occurred, and you are addressing the effect ( destroyed building ).
3. Preventative Control: Secure and Contain Combustible Materials. The event hasn’t occurred yet, and you are treating the cause ( the fire ).
4. Contingent Control: Buy Insurance. The event hasn’t occurred, and you are treating the effect ( destroyed building ).

As a rule of thumb, you want to shoot for Preventative Controls. These are the best types of control, because they’re put in place before the impact of the risk event is realized, and they address the root cause of the problem.

So, what about our college regulation of not allowing firearms on campus? Well, let’s back up a bit. The effect is severely or fatally injured students, and the cause is crazy kids with firearms. The timing is certainly before any risk event occurs ( it’s not reactive ), and the control is going after the cause ( firearms ) and not the effect ( injured students ). This would actually be an ideal Preventative Control except for one thing – it seems to be ineffective. Controls only matter if they are effective controls. The lesson here, is that you should always test your controls to make sure they’re effective.

Okay, what about the SCCC’s proposal to allow college students to carry concealed firearms on campus? Well, we’re still going after the cause ( crazy kids with guns ), however this time we’re treating the cause after the risk event has occurred. This is a Corrective Control which is not ideal, but if it’s effective, then it’s better than the ineffective control in place today.

For the sake of completeness, let’s take a look at some other types of controls for this situation. An Adaptive Control would be after the fact, and would address the effect ( severe or fatally injured students ). An example would be counseling for the families, or rushing the severely injured students to the hospital. A Contingent Control would also address the effect, however in anticipation of the shooting. An example Contingent Control would be establishing an on-campus emergency center that was outfitted to handle severe injuries including gunshot wounds.

My conclusion is that the colleges are going in the right direction with trying to prevent the risk from occurring. However, they need to figure out a better way to make their controls effective. Some ideas might include teaching teachers and students how to recognize aberrant behavior, and / or increasing their capacity for detecting students that are carrying firearms.

Feltoon, I admire your cause, but I think there’s a better way to handle the situation.

Does America Need More Financial Regulation?

Paulson Cracks Down on Americas Financial Markets

Treasury Secreatary Henry Paulson. Picture Source

It's no big mystery that our financial markets are in big trouble these days. The American people are simply overleveraged, and walking away from their credit obligations. And this is causing some severe downstream effects.

To prevent a financial meltdown, Treasury Secretary Henry Paulson is proposing a complete overhaul to the way the US Government regulates our financial system, according to CNN Money.

The highlights of Paulson’s plan include:

• Grant more power and oversight responsibility to the Federal Reserve, allowing it to regulate and intervene if necessary if they suspect we’re heading for a financial fallout.
• Allow the central bank more regulation over investment banks.
• Introduce regulation in financial areas that aren’t currently regulated, like hedge funds and private equity firms.
• Combine the Securities and Exchange Commission with the Commodity Futures and Trading Commission.
• Fold the Office of Thrift Supervision ( currently responsible for overseeing federally chartered institutions ) with the Office of the Comptroller ( currently responsible for overseeing national banks ).
• Introduce federal regulation for insurance companies.
• Introduce a federal agency to regulate the mortgage industry.

Of course, there are no real specifics at this point, just a lot of “ideas”. And of course, there is a lot of criticism and skepticism from various camps. For instance, House Speaker Nancy Pelosi would like to see more action ( as would I ), and Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, has his own set of regulations that he’s trying to propose.

If you think the government is trying to protect your individual interests, think again. All this regulation, is to protect the financial system from collapsing. Nobody in the government cares about you if your house is foreclosed on.

Don’t get me wrong. Saving our financial system from collapsing is a good thing for all of us, and will indirectly affect all Americans. But, if you think the government is trying to “save” you because you can’t pay your mortgage bill, you’ve got another thing coming.

Here’s how it works.

Everybody’s rolling the dice on the consumer. It’s a big insurance game, and if they get caught, America is in big trouble.

It’s the equivalent of the Los Angeles fires, only much worse. All those homes in Los Angeles were insured. The home insurance companies are taking a gamble that the amount that they collect in premiums will be able to pay all the commissions and salaries, plus pay for the damages if a few fires happen. They spread their risk out over as many homes as they can, that way if they have to pay damages for a few fires, that’s okay because they’re collecting premiums on a much larger base. They’ve calculated the probability that a fire will happen, and adjusted your premiums accordingly. In the next section on Risk Management, we’ll explore how to apply these concepts to your compliance project, however the key here is the risk calculations. If their probabilities are off, or there is a catastrophic event like a sweeping fire that takes out a lot of homes at once, this game is not fun for them anymore. This is enough to put an insurance company or two out of business.

On a much grander scale, that’s what’s happening to America. The whole financial system is predicated on the assumption that only a few people will default on their credit obligations. In general, banks borrow money from the government, then loan it to you so you can buy your house.

But where does the government get its money from? Pretty much, nowhere!

The government is playing the same game as the home insurance companies. They have to count on the fact that you will pay your mortgage. Now they’re expecting a few people to default, but when too many people default at once, America’s got problems! However, unlike the insurance companies, America can’t go out of business!

Fortunately, America has great resolve and resources, and we will pull through this one. We can’t however have this happen on a recurring basis, which is why Paulson is calling for such a drastic overhaul.

So, is more regulation the answer? According to an instant poll at CNN Money, Americans are split right down the middle – 50/50. It’s a tough call, however my answer is, “No.”

Although I’m in the business of compliance, I strongly believe that government intervention is a bad thing, and over-regulation is just a recipe for disaster. I don’t believe the bad guys should be allowed to take advantage of the Americans with unscrupulous practices, but I think the economics should play themselves out. If lenders are stupid enough to loan people with a 450 FICO score 110% of the inflated value of their home, then they deserve to get defaulted on, and they should go out of business. And, the retard that accepted that loan should suffer some financial hardship, so they can realize the need to get some financial education, and avoid making a such a ridiculous choice. As Darwinian as it sounds, I believe it works.

If there’s anything I like about this direction, it’s the focus on consolidation of the “financial supply chain”. I feel information is the key, and you won’t be able to do it right, until you get all the moving parts together. I feel the exploration and discovery is where the real value is. A concentrated effort to understand how all these moving parts interact with each other should be undertaken. Then, a national effort to disseminate this information in an understandable way, and educate the American public on how to use this information, is the next logical step. Provide people and institutions with the information necessary to make a logical financial decision. If the real data is available, and lenders are still willing to engage in such an idiotic transaction – that’s their fault.

On a personal note, if Paulson wants more regulation, that spells more work for me!

So, either way, I’m in a good spot, but my advice to you and America is – let the financial economics play out.

Controlling Uncertainty

How to Manage Risk on a Compliance Project

When auditing other projects, risk management is one of the key things that I often see completely missing. Failure to identify and manage risk in a project will almost certainly cause your project to overrun. Addressing risk is easy when you follow some easy steps.

But first of all, let’s understand what risk is. Simply stated, risk is uncertainty. It’s something that might or might not happen. All risk has a probability of occurrence, and an impact. The probability of occurrence is a percentage (between 0 and 100 ), and represents the chance that a risk event will occur. A 0 percent probability means the risk event will never occur, and a 100 percent probability means the risk will certainly occur. In both of these extreme cases, the event is no longer considered a risk, as there is no uncertainty left.

The impact of a risk is how the risk event will affect your project if the risk event occurs. Impact should be evaluated in manner consistent with rebalancing the project, so scope, time, and cost considerations all play a part of risk impact. Contrary to popular belief, not all risk impact is negative. There is a concept of positive risk, in which an uncertain event has a positive impact on your project.

To absorb risk, you should setup a risk reserve. Usually, a risk reserve is tracked by cost, however if cost is not a concern, you can use time, scope, or any combination of the three. There are two types of reserves; contingency reserve and management reserve. Contingency Reserves are allocated for risks that you have identified, or known risks. Management Reserves are allocated for risks that you have not identified. Management reserves represent a respect for the reality that you cannot anticipate all types of uncertainty.

So when you setup your compliance project plan, be sure to follow these 12 steps for Risk Management:

1. Brainstorm with your team, all the possible things that could go wrong ( or right ) with your project. You are looking for anything that could cause an overrun ( or under run ) in cost, time, or possibly scope. A good technique is to use Post-It notes on a whiteboard.
2. Create an Affinity Diagram of the results. An Affinity Diagram is a grouping of like items. Create headings on the whiteboard, and organize all the Post-It notes into logical groups.
3. Revisit each group, doing another brainstorm on each individual group. The grouping should trigger more insights on additional risks. When you are done, you should have at least 50 - 75 risks. The more the better.
4. Compile the list of risks onto a spreadsheet, an assign probabilities and impact to each risk.
5. Normalize both the probability and impact to a scale from 1 to 10. Probabilities should be pretty easy; you can divide by 10 and round. Impact ratings must be subjective. Low impact risks will get a 1, and high impact risks will get a 10.
6. Separate out all the risks that have a 80-100% probability of occurrence ( score of 8 – 10 ). Since the certainty is so high on these tasks, it’s better to just assume they will happen. Record them as normal tasks on your project plan.
7. Perform a Qualitative Risk Analysis. Create a 100 square matrix with probability in columns ( from 1 to 10 ), and impact in rows ( from 1 to 10 ). Now shade in ( starting from the 10, 10 coordinate ), all the squares you will consider important enough to deal with. The (1, 1) square should not be filled in, and the ( 10, 10 ) square should be. The rest of the puzzle depends on your tolerance for risk. If you are risk averse, most of the squares should be shaded. If you are risk inclined, only a few should be shaded.
8. From your comprehensive risk list, pull out only the risk items that have the probability / impact combinations that you deem important.
9. Go back through the “unimportant” list, and have a project meeting with all necessary stakeholders, to determine what else should go on the “important list”. Do not skip this step! This is where common sense prevails over methodology.
10. With the field of risk thinned out, perform a Quantitative Analysis. Assess impact in terms of cost ( in dollars ) and time ( in days ). Then multiply both by the probability of occurrence, and record these numbers as “expected cost” and “expected time”.
11. Sum up the total of your “expected cost” and “expected time” for your entire project. This is what you should allot for your Contingency Reserve. Add your contingency reserve to your total project cost and time.
12. Set up a Management Reserve to accommodate the “unimportant” risks, and anything else you might not have caught. The amount you choose is based on your level of overall risk comfort for the project, and your experience. A general rule of thumb is 10% of the new project time and cost ( after the Contingency Reserve is added in ), however in the case of very risky types of projects ( i.e. technology ) or environments ( i.e. overly political and / or dysfunctional organizations ), you may need to 100% Management Reserve, or more!

As the project executes, make sure to track the risks as they occur, and adjust the project plan and the reserves as appropriate. It’s very important to keep track of all these facts, so you can demonstrate to stakeholders how risk is affecting your project. In many cases, this aspect is overlooked and never communicated to the stakeholders. As mentioned earlier, this invariably causes an uncomfortable disclosure regarding project overruns.

Keeping risk under control is the sign if a prudent and responsible project manager. Don’t let risk get out of control on your project. Following these simple 12 steps can make the difference between happy and irate stakeholders.

Spammer Goes to the Slammer

"King of Spam" Finally Convicted

Robert Soloway, the "King of Spam." Picture Source

Robert Soloway, the "King of Spam" is in the soup, and on his way to the pokey.

This Month's Special: "Spam Soup!"

According to Yahoo! News, the world's best known spammer could be facing up to 26 years in prison for tax evasion and fraud.

There have been several civil convictions against this underbelly of cyber-society, however true to character, he has thumbed is nose and the legal systems, avoiding the payment of any and all fines, including a $7.8 Million Microsoft settlement.

Well, it's all over now. Sentencing is scheulded for June, and I personally hope they stick him with the highest possible penalty.

Folks all over the Internet, including myself, would love to send a message loud and clear to all the rest of the spammers out there, "I don't want to make a fortune with no money down, I don't want to help anybody in Nigeria, and I don't need anything on my person enlarged!"

Kudos to the Department of Justice. For once, they're actually using my tax dollars for a great cause!

Flintstone Car Gets Ticketed

Innovation Meets Regulation

Check out this hilarious video of a modern day Flinstone Mobile getting pulled over by the Bedrock Police Department.

Flintstone Car Gets Ticketed. Available on YouTube at http://www.youtube.com/watch?v=ynTKnPehv24

The Compliance Lesson: Innovation is good, but it must still be tempered with regulation to be useful. Or -- a good idea stays an idea until compliance makes it practical.