It’s Thursday August 16th and our latest edition of the Feagin Company Weekly Risk Report: What you need to know to stay current in risk management. Visit our website at feaginllc.com.

 

Told You So – Secret Recordings 

There will be more secret recordings popping up but TV ratings will drive whether you hear about them or not. This week it was Omarosa’s secret recordings of calls with President Trump. Before that, Chief of Staff John Kelly in the White House Situation Room. Bottom line, this is happing in organizations from the board room to the janitor. TIP: put a Faraday cage on the conference room table and require all electronics to be placed inside. Ed Snowden used a microwave oven…works fine; just make sure you don’t accidentally hit the ‘popcorn’ button.

 

Focused Risk – Unhinged Workers

According to a PRNewswire article, Career Builder found in a study that 70% of employers are using social media profiles and posts to screen employees. While artificial Intelligence is becoming more accurate at predicting things like emotional quotient, perhaps “common sense” should also be used. The risk? Workplace violence among many others. Drivers: rage, anger, harassment, integrity, ethics, low performance, and the fact it is getting harder to fire sub-optimal employees. Checkout Omarosa and Piers Morgan highlights from Celebrity Apprentice (funny if it weren’t so sad)…would you hire either of them? Double check your own content…keep in mind, once you post it, it’s somewhere.

 

Governance 

Systems Engineering Approach
In my experience, an effective governance model is one that focuses on risk management as a communication capability and not a set of “must do” activities. Standardize your risk process for the whole organization. A common core mindset only needs two other enablers to provide solid capabilities: 1) stakeholder engagement, and 2) a tool that can be used to document, monitor, and communicate these threats and their actions. I call this a systems approach and it allows me to integrate enterprise, supply chain, business continuity, disaster recovery, all the way down to program and project risks into one very powerful and insightful system. Your other option? Continue to run all these risk activities as disparate functions and waste a lot of time and money…not to mention, loose valuable insights that could be a performance game changer. My article back in 2015 gives a little more detail: ERM and Systems Engineering

Hypoxic State of Mind
An Enterprise Risk Management expert once told me, while opining about my systems approach to ERM which included the integration of programs and projects, “you are way down here…I am waaaaay up here…Board and C-level risk management (hand gestures included). Maybe you’ll get here someday.” Last time I checked, the P&L is won and lost at the project level where business is actually executed. If you don’t integrate risks at all levels, deep and wide, across the organization and aggregate them into top level ERM categories (Strategic, Finance, Operations, IT, HR, etc.) for insights and control, then chances are you are missing out on a huge opportunity to improve the P&L (see supply chain example below). #1 excuse I hear for not doing this? “It’s hard.” Not as hard as you may think, and it’s hard is not an excuse, it’s a copout.

 

Emerging Risk – Social Engineering

Let’s assume you have the best cyber defenses and the best physical security (buildings, etc.). A social engineer looks for ways to infiltrate these protections. They play on human psychology and according to Dr. Robert Cialdini’s research from his book Influence, there are six key principles to influencing people: reciprocity, commitment and consistency, social proof, authority, liking, and scarcity. Let’s focus on “authority” or as Cialdini defines it, the action of following the lead of someone who is considered credible and knowledgeable. Suppose someone shows up in a uniform at the backdoor of your secure building, dressed like a serviceman, toolbox in hand. Appear credible? Of course. Waiting for someone to enter or exit, he piggy-backs into the building. Once in, he makes his way around and finds an unattended computer and quickly inserts a tiny USB device in the back of the computer, something like PoisonTap, and leaves. He now has access to everything on that computer and in many cases, the entire cyber ecosystem. Sound like fiction? It’s a true story…thankfully the perpetrator was one of the good guys. Stopping there.

 

Supply Chain Risk Management 

Integrate with Enterprise Risk Management
I followed a systems engineering approach to develop supply chain risk management capabilities years ago. In short order, this approach generated many $-millions in cost savings, avoidance, and efficiencies…and yes, it was integrated with ERM. Why wouldn’t you do that? Hypoxia, maybe?

Supply Web
“Supply chain” implies a simplistic and sequential flow of supply; most think of it like that. The reality of a supply chain is that before a part, sub-assembly, or finished product makes it to the customer, it may zig and zag from multiple vendors multiple times. This back and forth makes it almost impossible to model; convoluted. I like visual perspective so on a call with an executive from a Fortune 500 company last week, he rightly said, “I no longer call it the supply chain, I call it the supply web.” Thanks for the visual “J.” See you soon.

We’re gonna map your supply chain…yeah, right
Don’t you love it when you get that sales call from someone who wants to come in and improve your supply chain? You ask, “what will you do for me?” They say, “we’re going to model your supply chain for you!” You say, “so what” (Try it sometime). They continue: “we are going to map your Tier I suppliers, then your Tier II, and then your Tier III all the way to the beginning.” Next question…”ok, how are you going to do that?” Check in next week’s report as I continue this discussion. I’ll give you some of my top insights. Till then, here’s a post I wrote on the topic in 2016.

The failure of the promise of AI/Big Data…
By Benjamin Nieuwsma “rockstar” A.I. Engineeer
Companies are treating it [Artificial Intelligence] like a magic bullet. Many believe that the more data the better, but they fail to see the diminishing rate of return… Systems require design. Intelligent outcomes require intelligent programming…and bigger systems even more so.

 

The Takedown

Ecuador in a state of emergency as refugees flee from Venezuela
Ex-CIA boss John Brennan no longer has a Security Clearance but given the current climate, I wonder if he has any secret recordings.
The United States is standing up “Space Force” by 2020 and being accused of militarizing the galaxy. If this eventually enables me to say to an Apple watch “beam me up,” then I’m looking forward to it.
Trustwave released Social Mapper…now every Tom, Dick, and Harry has access to powerful tools used by professional hackers…thanks. #protectyourprivacy
Revisions to the Code of Corporate Governance and Singapore Exchange Listing Rules were announced on Monday. Focus: board independence and diversity and better shareholder engagement.
Cyber Risk in the supply web should be a high priority risk because it’s a high impact risk. IoT isn’t helping…neither is the fact that this niche cyber risk is void on many enterprise risk lists.
Michael Faraday invented the Faraday cage in 1836. They aren’t fool proof.

 

Next Week…

  • Higher Education
  • More on the Supply Web
Subscribe To Our Weekly Risk Report

Subscribe To Our Weekly Risk Report

Join the list to receive our weekly communications.  We won't spam you, or share your information with others.  You can unsubscribe at any time.

You have Successfully Subscribed!

Share This