When Risk Runs Out of Control

How to Avoid a Compliance Pandemic

Families in Mexico trying to protect themselves from Swine Flu. Picture Source

Losing control is very scary. This is exactly where we’re at today with the swine flu scare. If you’ve ever tried to drive a car on icy roads, you know what I mean. Even with four-wheel drive and snow chains on, there’s an unmistakable twinge that strikes your gut when your back tires lose grip of the road and you start fishtailing. You take immediate action to gain control—foot off the gas, and turn into the slide. Of course you know that things can go in one of two directions at this point. If your car is properly equipped, chances are your tires will eventually catch the road again and with a little effort you’ll be on your way. Of course, there’s no guarantee. One night driving from California to Nevada in conditions like this, my brother actually lost control and found himself buried into a snow plow that was trying to clear the roads.

Right now the nation is starting to fishtail, and the scary thing is that we don’t know how this is going to end up. We’ve sounded the alarms, and we’ve rallied the troops, and it’s all in the name of—getting control of the situation.

I recently spoke to a group of small business owners about control, and I explained that control is about expectation. When things are happening that you don’t expect, you’re losing control. The nation is currently losing control of the swine flu situation, because our expectation is to cure it before it spreads too wide, but that’s just not happening right now.

What’s interesting is how something like this develops. I’m not a Darwinist, but this is definitely natural selection at work. A virus is a living organism like you and me. We like to think that humans are the smartest beings on the planet but that’s debatable and we’re not likely to hear the arguments from any other species, including viruses. The fact remains that throughout history influenza viruses have given us a pretty good challenge for the top seat on earth. According to some accounts, the Spanish flu claimed up to 100 million lives. And they keep coming back, like Rocky Balboa.

We can’t contain deadly viruses like this, because they mutate. The virus that we’re trying to deal with right now is a mutation of its ancestor; which is, unfortunately for us, the Spanish flu virus which did so well against us not more than 100 years ago. This one’s actually part bird, part pig, and part human like some super-villan that Spiderman would have to protect us from.

So, can compliance violations mutate and cause a compliance pandemic?

The answer is no, but that doesn’t mean you’re safe. The reason why compliance violations cannot mutate is because compliance is fixed around a regulation, guideline, policy or some other standard. Once the standard is set, you should know whether or not you’re in compliance. Of course these standards can change, but when they do its usually in a controlled manner, and there are no surprises.

The problem is not compliance it’s risk. Remember, compliance is about controls that mitigate risk. But just because you’re compliant doesn’t mean you’re not exposed. Just because you wear a hard hat doesn’t mean your head is out of harm’s way.

Unfortunately risk is something that mutates like a virus, and here’s why. Let’s look again at the fundamental components of risk: probability, impact, and detection. In qualitative terms, on a construction site the probability of something falling on your head is high, the impact is extremely high, and detection can be somewhat low: so wear a hard hat. All three fundamental components of risk are dependent on the environment, which unfortunately is constantly changing. And for some reason (call it Murphy’s law), environments always seem to change to a more risky position (higher probabilities, higher impacts, lower detection).

Another reason why risk mutates out of your favor is the human element. In many cases, the risk that you’re trying to mitigate involves other human beings doing bad things. Casinos are constantly running the risk that people will cheat. And, as the controls get better so do the cheats so they have to constantly try to stay one step ahead. Not an easy task.

The key is to keep an eye on these fundamental components of all your risks, and constantly test to make sure your assumptions on probability, impact and detection are correct. The odds are that your risk will mutate so it would be foolish to control for it one time and expect that those controls will keep you safe. Before you know it, you could find yourself in a compliance pandemic.

Underestimating the Evil Genius

Staying Safe in Cyberspece

Are you safe from cyber-criminals?Picture Source

Since the government currently has no one office responsible for cyber security, they’ve now decided it’s a pretty good idea to centralize the efforts of protecting our most sensitive networks. Now that the Internet is over 25 years old by most accounts, I don’t think that’s a bad idea.

So the new National Cyber-Command (or whatever they decide to call it) is great, but how in the world did Chinese (at least we think they’re Chinese) cyber-spies break into one of the nation’s most top secret programs? Well I hate to be the one to break it to you, but cyber-spies (in any nation) are really, really smart. That’s how.

Being brought up in Silicon Valley, I know the breed well. I myself was an ethical hacker for a while and I knew other hackers as well. It goes without saying, but these people are highly intelligent and they know everything there is to know about how the Internet works. The reason why I emphasize this is because I get the feeling cyber-spies are grossly underestimated.

Let’s see how well they did. Based on the information we know, they found some vulnerabilities in the networks of a few contractors that were working on the program. Once in, they started siphoning off data about the new super-jet; however, we don’t know for sure what they took. Once inside, the spies inserted technology that encrypted the data as it was being stolen. As a result, there’s really no way to know what was even stolen. Very clever. In my mind they did a pretty good job, I’m impressed.

The official record says that nothing “real sensitive” was stolen, but in my opinion that’s a bold-faced lie in the interest of national security. My feeling is that this breach is going to cost us taxpayers a HUGE amount of money. The cat’s out of the bag on a lot of sensitive information and we cannot use it now, so get ready for big spending on rework.

As I stated earlier, I don’t think people realize how easy it is to crack a computer that’s on the internet. Nowadays, people are comfortable doing everything online. Web-based banking is routine, and submitting your credit card information to someone over the net is about as common as getting a drink of water from a faucet. There’s even a website called mint.com that centralizes all your financial activity. All you have to do is register all your bank accounts, credit cards, home loans, and investment accounts with the site; and as soon as you provide all your passwords to mint.com, it can consolidate your financial picture into one convenient database. Now, isn’t that convenient?

Are you serious?

The funny thing is that any and all Gen-Y people I talk to think this is the best thing since wireless keyboards. Of course all the Boomers I talk to think it’s the most ridiculous thing they’ve ever heard. Umm, I have to side with the Boomers here.

The reality is this. If your data is connected to the Internet you are in a very vulnerable state. I think it’s convenient to believe that your data is safe, and you want to believe everybody when they tell you it is, but I’m here to tell you the truth—it’s not.

If you don’t already have a cyber-security team in place, I would follow the government’s lead and get to it right away. Do your best at protecting your network and hire ethical hackers to see if they can break in. Move all your secret data offline—yes, offline. Your sensitive data should not be connected to the Internet in any way. And take measures to protect your data from internal attack, as this is your highest risk.

Underestimating a hacker’s ability to break into your network is one of the worst mistakes you can make. What would you do if one of your competitors had all your secret information? They might have it already, and you don’t even know.

Please Don’t Stand So Close to Me

Straight Talk for the Micro-Manager

There’s no argument from me that the uninvolved project manager is a disaster. This is the person that never talks to his team, and never knows what’s really going on. This is a project manager that “manages up,” and cares more about how he looks to upper management than figuring out what’s really going on with their project. Their projects always end up in the same place—dead in the water. Because of this, they’ve mastered the art of spin control so they don’t look bad when the project fails. I’ve seen people make a whole career of failing on projects. It’s unbelievable that the organization doesn’t catch on, but that’s another story.

But then there’s the micro-manager. We all know this project manager as well. It seems like they don’t have anything else to do but constantly bug you for information. Then once they find out what you’re doing, they always have a “better” way of doing it and insist you do it their way. Of course if it works out it was their idea and if it flops you did something wrong. Their projects actually come in sometimes because of all the focus the project manager is paying to the project. However, it’s not a true win even if the stakeholders get what they want, when it’s at the expense of your team morale.

For me though, there’s nothing wrong with the micro-manager’s level of involvement. It’s their style of involvement that’s the problem. A micro-manager becomes a bad manager when they cross the line on what their role and responsibility is. So let’s review what a project manager should and should not do:

A project manager should:

• Setup project plans, and collect data on how tasks are tracking to plan
• Collect information on issues and risks, and help support the team by mitigating risk
• Constantly adjust scope, time, and cost to bring the project in balance with reality
• Share and communicate effectively with everybody involved in the project
• Assign resources to tasks based on resource availability
• Protect the team from outside influences and interferences
• Inspire the team, and keep morale up

A project manager should not:

• Tell team resources how to do their job
• Probe team resources for information on how their doing their job
• Demand or negotiate estimates of work to be completed
• Argue with business analysts or users on what the requirements are
• Redo other peoples work

In general everybody has a role on the team. Users provide requirements to business analysts and they collectively own the requirement. Developers (or other implementation resources) do the work and estimate how long it will take. Project managers communicate what’s going on, support the team, and generally facilitate the project through to completion. When roles get crossed, as what happens with the typical micro-manager, things get confusing and frustrating.

So if you get the sense that you’re a micro-manager, my advice to you is this. Maintain the high level of involvement; it’s the only way you’ll be able to efficiently balance the project with reality. However remember that your engagement with your implementation resources (e.g. developers) is that of them telling you how much longer things are going to take, and what’s stopping them from doing their job. That’s all you need to know. Also, your engagement with your business analysts is them explaining to you what the requirements are to a level where you can explain it to everyone else.

Trust your team to do what they do best, and support them at every crossing. In the end, they’ll support you back by bringing in successful projects: not because they have to, but because they want to.

The Party's Over for Northern Trust

How Wadell Blew Our Bailout Money

Frederick W. Wadell, CEO of Northern Trust Bank. Picture Source

The 56 year old CEO of Northern Trust Bank (a Chicago based bank) took $1.6 billion in bailout money from us, then decided to party like a rock star with it in LA. Here are some of the highlights according to TMZ:

The whole event was centered around the Northern Trust Open golf tournament which they sponsored at a price tag estimated in the millions. But that’s not all. You can’t have a golf event without…

… flying in hundreds of clients and putting them up at fancy hotels like the Ritz Carlton and the Casa Del Mar in Santa Monica.

… a fancy dinner at the Ritz Carlton with entertainment by the band Chicago.

… an entertaining evening with Earth, Wind and Fire.

… a private party at the House of Blues, including a lavish dinner followed by a few songs by Sheryl Crow.

… a cocktail party at the Loews, where female guest received gift baskets from Tiffany’s.

Representative Barney Frank, chairman of the House Financial Services Committee, speaks at a news conference in Washington, Feb. 3, 2009. Photographer: Joshua Roberts/Bloomberg News. Picture Source

So what’s all this worth? Well, we don’t know all the numbers, but:

• An enchanting evening with the band Chicago, $100,000.
• Shutting down the House of Blues for one night, $50,000 (not including Sheryl’s fee).
• Sponsoring a super-extravagant golf open, $ millions.
• The look on Barney Frank’s face when he found out—priceless.

Frederico, looks like you got some ‘splaning to do.

Risky Guidance

How Not to Write Policy

Here’s a real sign you’ll find in Florida:

Unreasonable policy will not be followed.

Always make sure that when you write policy you take the time to look at it from the point of view of the person or people that need to follow the compliance policy. If you don’t it might end up about as useful as this sign.