French Caldwell

Jeffrey Wheatman, Guest Blogger

Last week, after grueling but exciting five days at Gartner Symposium in Orlando I found myself sitting on my return flight back to the home office. I cracked open my brand-new copy of Freakonomics, which is a book I have long had on my list and never quite got around to reading. While reading the book, which I enjoyed very much, but of course this is not a book review article, I stumbled across a very interesting concept that the authors referenced and I think may be highly valuable.

We’re all familiar with the commonly utilized equation for risk –

risk = impact * probability

Very simply, the likelihood of something bad happening multiplied by how much damage it would do tells us what our risks are.  Seems to make sense, yet many of our clients struggle with using this type of information to justify expenditures in hard dollars and work effort in order to remediate these risks.

The authors reference work by Peter Sandman, a self-described risk communication consultant located in Princeton, NJ. Mr. Sandman has built a successful consulting business around a very different equation for communicating risk –

risk = hazard + outrage

Mr. Sandman’s work is predicated on the fact that people don’t really understand the components that make up risk, instead they are much more influenced by the perceived hazard, i.e. how much harm is it likely to do and the level of outrage, i.e. how upset people are likely to be than the realities of the risks.  There are many examples of how terrible humans are at estimating probability and impact, e.g. you are 12 times more likely to die in a car accident than a motorcycle accident and yet every time I talk to my wife about buying a motorcycle she tells me how dangerous they are, but she thinks nothing of sending me to pick up this kids in the car.

It seemed to me as I flew through the air at 750 miles an hour in a huge hunk of metal (BTW it is safer per hour of travel to fly than it is to drive) that maybe our traditional approach of expressing risk was doomed to failure because of two factors –

1. Impact is incredibly difficult to quantify — we’ve seen many attempts to quantify and/or qualify risk to various levels of success. But the reality is that even with the hundreds of clients that we work with every year at the end of the day we are asking our managers to accept our estimation of what impact would. Recognizing that these assessments of the impact are based on our experience, knowledge and ability to ferret out real from perceived issues are really just best guess estimations
2. Probability is a variable that is very difficult to quantify with any great level of success or defensibility. We have seen numerous attempts to communicate probabilities, i.e. there is a 20% likelihood that this will occur this year, it is extremely likely that this will occur this year, or it is highly likely that this risk will occur once over the next five years. All of these are different ways of expressing probability but frankly none of them are all that accurate or defensible.

I began to think that as much as we tell clients not to use FUD (fear, uncertainty and doubt) to sell security maybe Mr. Sandman actually has the right idea. Throughout the chapter we see various discussions that revolve around the “interpretation” of the impact of risk that motivate people to change behavior or our legislators to enact laws to protect us from ourselves but are not tied to any reality.

Maybe we ought to start thinking of risk in more than one way before we go ask for money, or process changes or whatever we think we need to do to protect our companies from themselves – for good or for bad.

Hey I am just thinking here.

What is the most important role of the IT department in managing enterprise risks?  Is it to just manage IT’s own risk, with a focus on security?  Is it to get better alignment of IT services to business needs?  Is it to advise the general counsel, the chief financial officer, and other business executives on the IT solutions that can help to improve risk management?  It’s all of the above, truly.

But the biggest and most impactful role for IT in enterprise risk management is to ensure the best alignment possible of information to business needs.  But for business alignment, don’t start with the technology infrastructure — start with the information.  Many enterprises have adopted and advanced knowledge management programs to just that.  We don’t hear as much about them these days, but there are many successful KM programs in successful enterprises.

I was talking to Mark Raskino the other day about his upcoming Cannes symposium Mastermind interview of the CIO of Shell.  I mentioned to him that Shell is one company that adopted KM early and continues to embrace it.  There are others in many different industry sections.  In government for example, the U.S. Army credits KM with directly impacting operations.

A lot of KM professionals though have not been getting the love for a long time.  Between the collapse of the tech bubble in 2001 and the economic collapse of 2008 they went into hiding — changing the names of their programs and projects — so they talk now about social networking, instead of tacit knowledge, or about being information-centric, instead of knowledge-centric.  These are all valid alternative terms, but by taking the common K-word away, many enterprises have diffused their information strategies and deflated the effort of an enterprise wide-approach for getting the maximum business value possible from their information.  The ultimate goal of an enterprise knowledge management program is to put a strong business focus on the alignment of knowledge to enterprise needs, whether that is the knowledge in someone’s head or the knowledge captured in a database.

All of us in the IT industry, whether we are vendors, service providers or users of IT, should quit avoiding the K-word.  Alignment of information to business needs is job one, and KM is the strategic discipline for putting the right focus on that alignment.  It is the most strategically valuable information risk management tool that is available to CIOs and other business leaders.  For all those KM professionals, like me, who have been in the closet for the last eight years, in these tough economic times our organizations need us now more than ever — let’s bring KM into the light again.

Gartner’s special report on vendor risk management, which my colleague Helen Huntley and I led, points to over two dozen research notes on the topic.  The fact that analysts from across several different research groups at Gartner have contributed points to the complexity of the challenge facing any IT leader seeking to improve VRM.  Many businesses, as well as government and other organizations, increasingly rely on IT vendors and service providers to support core business processes. This reliance exposes them to greater risk of delivery disruption or failure and damage to their reputation, as well as other business and IT risks facing the IT suppliers. Challenging economic conditions compound these risks. CIOs, vendor managers, and risk managers who want to get started at VRM can refer to Gartner’s Simple Vendor Risk Management Framework and Toolkit: Getting Started at Vendor Risk Management.

In the end, all risk management is information management, and the reverse is not true.  Much information management is done without a risk-oriented view or a business-oriented view, and the result is a lot of wasted time and money.  So how about taking a risk-oriented business approach to information management (should I invent a new acronym — ROBA.  Hey, let’s put a trademark on that!)

Anyway, while I ponder trademarking and servicemarking ROBA, I suggest anyone interested in getting a handle on strategic information management take a look at Pattern-Based Strategy: The Value of Information by Kristian Steenstrup and Tina Nunno.

Take a look at these Gartner research notes published in the last week:

Transparency Provides Opportunities and Threats in the 21st Century — Like it or lump it, thanks to a combination of regulation and technology, transparency is here to stay. This note points out how to maximize business opportunities and manage the risks of transparency.

Magic Quadrant for Operational Risk Management Software for Financial Services — ORM offerings are becoming increasingly complex as convergence moves in multiple directions. This market brings together quantitative and qualitative risk management with compliance.  Many of these vendors also appear in the enterprise GRC platforms magic quadrant.

A NYT piece about how the Army is using wikis to write doctrine made the rounds on a Gartner analyst e-mail DL today.

Doctrine is supposedly doctrine because the principles it teaches age slowly.  So, is a wiki the right vehicle for maintaining doctrine?  I imagine the colonels who really write the Army’s doctrine must be chewing up their cigars and spitting ‘em out after reading this piece.

The Navy and Marine corps have always looked down on written doctrine — one of my favorite sayings attributed to a Navy admiral is: “Doctrine is guidance to be followed in the absence of any other intelligence, including human.”

The sea services looking down their nose at written doctrine is not merely services rivalry; rather the Army has tended to put too much in the way of operational procedures and instructions in its doctrine — in fact, if doctrine is considered to be a set of core beliefs or principles, most of what is in Army doctrinal manuals is not doctrine.  The Marines have doctrine too — for instance “every Marine is a rifleman.”  But try finding a 100 page doctrinal discussion of that — it doesn’t exist — never has.

The Army saw the failures of doctrine in Iraq, and how the gaps were filled by social networking.  To the Army’s great credit, they learned the lesson and then brought the social networking in-house and have supported it.

So — what we may be looking at in the Army is the end of doctrine as training manuals, procedures and instructions — expeditionary warfare requires that those be changed more often than the Cold War system can support — so doctrine exists, but it is stripped of the operational procedures which much change rapidly.

What’s left as doctrine are the core principles of operation — not procedures.  Perhaps unfortunately, the sea services have adopted the “doctrine” word in recent decades, but on the other hand, they seem to have stuck to core principles of operation when they use the term — compare this Marine Corps list of doctrinal publications to the Army list.  See the difference?

“Today, my administration is proposing a sweeping overhaul of the financial regulatory system, a transformation on a scale not seen since the reforms that followed the Great Depression,” announced President Barack Obama today from the White House.

While the changes are big, they are not as sweeping as they could have been.  Political obstacles prevented the emergence of an uber-financial-regulator that would have combined the many financial regulators into one agency.  So, while significant, it is important not to overstate the extent of this reform.

Some of the reform announced formalizes relationships and practices that already exist.  For instance, the new Financial Services Oversight Council formalizes the collaboration between supervisory agencies that already exists.  However, there are three areas of significant change, and for CIOs of banking, investment firms, and consumer credit firms affected by the reform, the changes will be impactful.

First, many investment firms that have been lightly regulated like hedge funds and private equity firms will now have to be registered.  Second, large firms that are considered too big to fail will come under the Federal Reserve Board’s new systemic risk oversight.  Third, consumer credit firms will face a new federal regulator in addition to state regulation.

Gartner will publish research shortly with our recommendations for CIOs and IT managers on how to manage their risk management and compliance activities in light of these regulatory reforms.  In the meantime, my colleagues and I are at your service and clients should schedule inquiries to discuss these developments.

Pundits have pointed to the development of a new normal by describing what path the economic recovery will follow.  Some expect a traditional V-shape recovery and others a double-dip W.  George Soros once called for what might best be called an inverse square root — that is a false recovery followed by a deep slide into a long trough with the long term recovery beyond most business planning horizons.  Soros has since changed his tune and is more optimistic.

This analyst, with no crystal ball, says there is a good chance they are all wrong.  For those looking for the shape of the economic recovery, just look around you now — this is it.  Last Fall, markets crashed globally, and $50,000,000,000,000 of equity was lost.  Some portion of that has been recovered in a partial recovery — maybe 35 percent or so.   This is the new normal — a crash followed by a recovery.  The fact that we don’t like this recovery as much as we did the last one is really tough luck — but this is the recovery we’ve got — this is the new normal, at least economically.

In this new normal, for the foreseeable future, markets will hover plus or minus 15% of where they are now, unemployment will be higher than what is comfortable, public debt will be outrageous, and perhaps what is most different, nationalisation of private enterprise is not out of the question.  And it will seem that high inflation is right around the corner.

The chief characteristic of the new normal is uncertainty — but economic uncertainty is not one of them — as far as the economy, WYSIWYG, it’s not great, but for policy makers it’s survivable.  Rather the uncertainty deals with other factors of globalisation like consumer and investor confidence, sustainable development, the pace of globalisation, etc.  This new normal, a period of uncertainty, will continue through the planning horizons of most businesses, at least through the first half of the next decade.  Perhaps by 2016, we’ll begin to see another period of high growth — perhaps.

As much fun as sitting around and doing nothing can be while the Internet is down, it can be a bit over the top sometimes — especially if your job is to root out terrorists.  Many, if not most, intelligence and counter-terroism analysts at the FBI, US Marshalls, and Homeland Security have been without Internet access since Wednesday.  While this Gartner analyst has known that this outage has extended for several days and has withheld comment for good reason, at some point, the ongoing failure of our national security IT types to resolve the issue becomes too much to hold back.  So — when will this outage be fixed?

To register, here’s the link:High-Tech Tuesday Series: Risk Management and Compliance: Still Selling? 11a.m. EDT / 15:00 BST

In 2008, the global economy entered uncharted waters and took all of us along as passengers. The rapid collapse of the financial system, the failure of regulators to prevent it and the well-publicized examples of large-scale fraud have eroded public trust in financial institutions and the governments that regulate and monitor them. There are no clear routes to safety. This era of the unknown is full of risks, and many organizations are showing a renewed interest in risk management and solutions and services to help them stay safe and whole in what will be an extended period of uncertainty.

What You Will Learn

I’ll discuss the following topics:
What are the market drivers and inhibitors for governance, risk management and compliance (GRC)?
What forces are shaping the demand for GRC solutions?
How are GRC solutions evolving to meet market demands?

SEE YOU THERE!