French Caldwell

Having grown up in hurricane country, I have a pretty good idea as to the barriers to disaster relief.  My hometown of Pascagoula has seen two “storms of a lifetime” in my lifetime and countless other hurricanes and tornadoes.  So though I have something to say, understanding the barriers to rapid relief as I do from first-hand experience, I didn’t want to join in the immediate post-Haiti chorus of blame.

But — here’s a story.  In 1992, I was working for the Secretary of the Navy.  I was his analyst for intel and special projects.   The morning after Hurricane Andrew devastated Homestead, Florida, I walked down to the Navy situation room in the Pentagon and asked the duty captain what was being done to ready Navy and Marine Corps assets for response.  The answer — ‘nothing.’

Based on my experience at sea, I had made a critical error in my assumptions.  At sea, when a crisis would erupt in his region of operations, a good skipper will begin to move his ship as close to the scene as he can — anticipating orders that he and his crew will receive orders in response to the crisis.  That way, once the orders are received, the skipper is already in position to execute them.

So my mistake was in thinking that this kind of anticipation would occur within the halls of power as well.  But it doesn’t.  Government agencies will not usurp the role of other agencies.  In other words, Andrew was a FEMA issue, and CINCLANT needed information from FEMA on what was needed for the response, and was not going to anticipate what ‘might’ be needed..

There’s an even bigger issue — military forces frankly are not designed for disaster relief.  They are designed to break things and kill — not to put things back together.  Sure — many of the assets that an Army division or a Marine Expeditionary Unit have are useful in disaster relief — but those assets are meant to support those troops on a battlefield, not to relieve the pain and suffering of civilians.  A soldier is not a humanitarian relief worker — the modern Army and Marines are innovative and can respond well to disaster relief — but it’s like using a hammer to open a can of beans.

Probably the most effective role that military units play in the immediate aftermath of a disaster is the ability to assess the situation on the ground and establish effective communications.  That flow of information enables the other organizations to get the flow of relief going.  After Andrew, this lesson, that getting the information flow going again is the most critical first step, should have been learned.  Katrina demonstrated that it wasn’t. Why isn’t there a plan yet to get an effective civilian communications grid overlaid on a disaster area?  Effective assessment and good communications within 24 hours is technically feasible — why don’t we do it?

So how about that Google — they’ve finally come back to their core principle: Do No Evil.

Not so fast, though.  With both Google and China, what’s on the surface is not what’s really happening.

So, some speculation on Google’s new approach to China — and remember this is just purely personal speculation — and maybe I read too many John le Carré novels:

This cyberattack gives Google a great cover — the prodigal vendor returning to their core principle “do no evil.”  Tears my eyes.

You gotta love the plot.  Schmidt backs out of an untenable situation that he created, blaming the Chinese.  The prodigal vendor returns to its principles, and Google is lauded for standing up to the Chinese.

Notice how Google also spins the good work they’ve done in helping the Chinese human rights activists who through no fault of Google had their Gmail accounts hacked.  That’s a nice little sub-plot (also known as a red herring).

Bottomline — The substance of this event within Google’s executive chambers has nothing to do with security.  Publicly announcing this attack and the suspected source is a PR event by Google to extricate itself from China, just like other web services firms Yahoo and eBay before them — we may never know the real business reason.

———————————————–

p.s. — the next time you send Gmail, think about this:  How does Google know which Gmail users are “advocates of human rights in China?”

I’ve been involved in some discussions recently around GRC that remind me about the arguments around KM — as to whether it is a valid term or not.  The antagonists argue that GRC does more harm than good.  They argue that the term creates market confusion, that the vendors that claim to offer GRC solutions don’t actually do so, and that you can’t actually do GRC.

They shout to kill GRC — which elicits a roar from the crowd which is fed up with vendor TLA-ism.   No one asks why the term exists in the first place — it just represents a lot of nasty hard work and vendor hype — the mob roars, “Kill GRC.”  It’s fun bloodsport.

Years ago I heard the same arguments around knowledge management, to the detriment of many organizations who could benefit from a sound KM strategy — a strategic approach to managing all the information and technologies that support critical business decisions.  The argument then was that vendors were using the term KM to sell any kind of IT they could — portals, collaboration software, even e-mail.  But none of it actually managed knowledge.

In the case of KM, the antagonists discredited the term thoroughly in the IT marketplace — no vendor wants to touch it — though to this day “knowledge management” remains on the top search terms of IT professionals.  The sad situation is though that professionals have no good architectural foundations or common frameworks for KM.  Along with the discrediting of the term for vendor usage, it became discredited as a strategic framework for managing critical business information.

Rather than discrediting vendor usage of a term — vendors will do what’s expedient for them– we need to understand why these terms like GRC and KM come into being.  It’s not a clever marketing ploy by devious vendors — rather it’s the fact that business and IT professionals recognize that there are are some activities within their organizations that seem to have similar characteristics and relationships.  While these activities are not common enough to enjoy the same IT solution, they are close enough that organizations that learn to manage the interrelated activities better can differentiate themselves.  Common principles and architectures may be applied, even if common solutions cannot. I’ve tried to get a start on this strategic approach with a standard Statement of GRC Principles.

Business leaders who are making critical decisions need to know that risk management professionals and compliance professionals can work together when needed to support the business goals and objectives of the enterprise that those business leaders set through the governance processs.  By the way this whole concept of GRC as an inter-related set of activities is reflected well in ISO 38500, Corporate Governance of Information Technology.

How about if for now we see how GRC plays out?  Give peace a chance.  It seems that the vendors are not hyping it as much as they used to do, and most are using it within context — pointing out more specifically what it is they do within the broad GRC marketplace. Let’s encourage them to keep doing that, and call them on it when they don’t.

Let’s not kill GRC, just yet, okay?

—————————————————-

p.s.  I’m not keen on overly defining strategic concepts, but here’s a definition of GRC used by Gartner to illustrate the inter-relationships of its components.

Governance, risk management and compliance have many valid definitions. The following definitions illustrate the relationship of the three terms and serve for Gartner’s compliance and risk management research:

• Governance — the process by which policies are set and decision making is executed.
• Risk Management — the process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions, going beyond which creates an unacceptable potential for loss.
• Compliance — the process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.

Chase Curve

In the heyday that preceded the crash, banks did not take the public sentiment about huge bonuses seriously, but what’s surprising is that since the crash they haven’t figured out a way to reward risk takers without risking their reputations.  When the gap between public expectations of corporate behavior, and the actions taken by corporations to address those public expectations becomes too wide, no matter how much corporations lobby, some form of restrictive regulation is created to address what the public views as unacceptable behavior.  This observation was first proposed by Howard Chase who coined the term issue management in 1976, and over the last decade failure to mind the gap has clearly driven an onslaught of regulation.  While regulating the size of banker’s bonuses won’t fix the financial system, it could change bankers’ behavior and take off the table a public policy issue that is clouding financial system reform.

While most GRC market watchers were analyzing the EMC-Archer deal, another perhaps even more telling merger was occuring. The CEOs of BPS and Resolver, two small Canadian enterprise GRC platform vendors, brought their two companies together. BPS’ market focus has been large companies, while Resolver has focused on small to mid-size companies. The combination of the two, called BPS Resolver, creates a company that spans multiple enterprise sizes, and enables the sales forces of the two entities to exchange prospects. Furthermore Resolver has a SaaS strategy which works well for mid-size companies. BPS Resolver has a lot to work out yet as to the management of the company and the technology roadmap, and prospects should demand clarification of both.

The GRC market continues to grow and with less than 30 percent penetration, it is nowhere near saturated. It is notable that as large vendor EMC acquired one viable GRC vendor, a new competitive vendor has arisen. Market consolidation does not mean there is no opportunity for innovation, and there is certainly no lack of competitive choices. Quite the opposite.

This afternoon, I’m attending the sustainability session at the SAP Influencer Summit in Boston.  Immediately, I’m asking myself if the sustainability market strategies of SAP and other vendors are themselves sustainable?  Over the last few years the hype around global climate change and the current and proposed regulation of carbon emissions have driven the sustainability market much more than other sustainability issues like corporate ethics and  non-carbon related environmental concerns.

In the opening session SAP’s chief sustainability officer shared projections that the sustainability market will grow over the next several years to several billion dollars annually.  Over half of this market according to SAP will be “energy management and carbon tracking.”

Most of the SAP sustainability presentations focused heavily on carbon emissions tracking, management, and reporting.   European cap and trade  regulations, the requirement from the U.S. EPA starting next year for companies to start reporting greenhouse gas emissions, and the still real possibility that the U.S. Congress will pass a cap and trade bill, all support a growing market for sustainability solutions.

However, it does not take the shrewdest analyst to see that the public interest in carbon has peaked and is plunging rapidly.  The East Anglia Climatic Research Unit scandal on top of the economic crisis have pushed carbon to the back burner.  If the carbon part of the sustainability market suffers heavily, the rest of the susstainability market led as it has been by carbon hype could suffer as well.

If they shrug off the rapid decline of carbon as a social concern, sustainability vendors may be damaging themselves.  Public policy issues are incorporated into regulation when the gap between societal expectations and the corporate responsiveness gets too wide.  Societal expectations on climate change have dropped significantly, and the impact of carbon regulation may not be as significant over the next several years as SAP and other vendors are expecting.  Impact depends both on the regulatory requirements and the enforcement level of regulations.

SAP’s polling of corporate executives shows they are much more interested in energy management than they are carbon emissions.   This is rational behavior — execs know they can hedge on carbon emissions by focusing on energy management, and energy management has direct business impact.   Energy costs have been shown to be highly volatile in recent years, and reducing exposure to this volatility has a lot of benefit to business strategies.

Taking a cue from the interest of corporate executives in energy management, sustainability vendors should focus on helping their customers with the risk management of other resource constraints as well.  Resource risk management should include:

• the ability to manage compliance risks associated with regulations and partner mandates,
• the sourcing risks of resource production and logistics bottlenecks,
• resource scarcity risks in an increasingly competitive global economy.

Jeffrey Wheatman, Guest Blogger

Last week, after grueling but exciting five days at Gartner Symposium in Orlando I found myself sitting on my return flight back to the home office. I cracked open my brand-new copy of Freakonomics, which is a book I have long had on my list and never quite got around to reading. While reading the book, which I enjoyed very much, but of course this is not a book review article, I stumbled across a very interesting concept that the authors referenced and I think may be highly valuable.

We’re all familiar with the commonly utilized equation for risk –

risk = impact * probability

Very simply, the likelihood of something bad happening multiplied by how much damage it would do tells us what our risks are.  Seems to make sense, yet many of our clients struggle with using this type of information to justify expenditures in hard dollars and work effort in order to remediate these risks.

The authors reference work by Peter Sandman, a self-described risk communication consultant located in Princeton, NJ. Mr. Sandman has built a successful consulting business around a very different equation for communicating risk –

risk = hazard + outrage

Mr. Sandman’s work is predicated on the fact that people don’t really understand the components that make up risk, instead they are much more influenced by the perceived hazard, i.e. how much harm is it likely to do and the level of outrage, i.e. how upset people are likely to be than the realities of the risks.  There are many examples of how terrible humans are at estimating probability and impact, e.g. you are 12 times more likely to die in a car accident than a motorcycle accident and yet every time I talk to my wife about buying a motorcycle she tells me how dangerous they are, but she thinks nothing of sending me to pick up this kids in the car.

It seemed to me as I flew through the air at 750 miles an hour in a huge hunk of metal (BTW it is safer per hour of travel to fly than it is to drive) that maybe our traditional approach of expressing risk was doomed to failure because of two factors –

1. Impact is incredibly difficult to quantify — we’ve seen many attempts to quantify and/or qualify risk to various levels of success. But the reality is that even with the hundreds of clients that we work with every year at the end of the day we are asking our managers to accept our estimation of what impact would. Recognizing that these assessments of the impact are based on our experience, knowledge and ability to ferret out real from perceived issues are really just best guess estimations
2. Probability is a variable that is very difficult to quantify with any great level of success or defensibility. We have seen numerous attempts to communicate probabilities, i.e. there is a 20% likelihood that this will occur this year, it is extremely likely that this will occur this year, or it is highly likely that this risk will occur once over the next five years. All of these are different ways of expressing probability but frankly none of them are all that accurate or defensible.

I began to think that as much as we tell clients not to use FUD (fear, uncertainty and doubt) to sell security maybe Mr. Sandman actually has the right idea. Throughout the chapter we see various discussions that revolve around the “interpretation” of the impact of risk that motivate people to change behavior or our legislators to enact laws to protect us from ourselves but are not tied to any reality.

Maybe we ought to start thinking of risk in more than one way before we go ask for money, or process changes or whatever we think we need to do to protect our companies from themselves – for good or for bad.

Hey I am just thinking here.

What is the most important role of the IT department in managing enterprise risks?  Is it to just manage IT’s own risk, with a focus on security?  Is it to get better alignment of IT services to business needs?  Is it to advise the general counsel, the chief financial officer, and other business executives on the IT solutions that can help to improve risk management?  It’s all of the above, truly.

But the biggest and most impactful role for IT in enterprise risk management is to ensure the best alignment possible of information to business needs.  But for business alignment, don’t start with the technology infrastructure — start with the information.  Many enterprises have adopted and advanced knowledge management programs to just that.  We don’t hear as much about them these days, but there are many successful KM programs in successful enterprises.

I was talking to Mark Raskino the other day about his upcoming Cannes symposium Mastermind interview of the CIO of Shell.  I mentioned to him that Shell is one company that adopted KM early and continues to embrace it.  There are others in many different industry sections.  In government for example, the U.S. Army credits KM with directly impacting operations.

A lot of KM professionals though have not been getting the love for a long time.  Between the collapse of the tech bubble in 2001 and the economic collapse of 2008 they went into hiding — changing the names of their programs and projects — so they talk now about social networking, instead of tacit knowledge, or about being information-centric, instead of knowledge-centric.  These are all valid alternative terms, but by taking the common K-word away, many enterprises have diffused their information strategies and deflated the effort of an enterprise wide-approach for getting the maximum business value possible from their information.  The ultimate goal of an enterprise knowledge management program is to put a strong business focus on the alignment of knowledge to enterprise needs, whether that is the knowledge in someone’s head or the knowledge captured in a database.

All of us in the IT industry, whether we are vendors, service providers or users of IT, should quit avoiding the K-word.  Alignment of information to business needs is job one, and KM is the strategic discipline for putting the right focus on that alignment.  It is the most strategically valuable information risk management tool that is available to CIOs and other business leaders.  For all those KM professionals, like me, who have been in the closet for the last eight years, in these tough economic times our organizations need us now more than ever — let’s bring KM into the light again.

Gartner’s special report on vendor risk management, which my colleague Helen Huntley and I led, points to over two dozen research notes on the topic.  The fact that analysts from across several different research groups at Gartner have contributed points to the complexity of the challenge facing any IT leader seeking to improve VRM.  Many businesses, as well as government and other organizations, increasingly rely on IT vendors and service providers to support core business processes. This reliance exposes them to greater risk of delivery disruption or failure and damage to their reputation, as well as other business and IT risks facing the IT suppliers. Challenging economic conditions compound these risks. CIOs, vendor managers, and risk managers who want to get started at VRM can refer to Gartner’s Simple Vendor Risk Management Framework and Toolkit: Getting Started at Vendor Risk Management.

In the end, all risk management is information management, and the reverse is not true.  Much information management is done without a risk-oriented view or a business-oriented view, and the result is a lot of wasted time and money.  So how about taking a risk-oriented business approach to information management (should I invent a new acronym — ROBA.  Hey, let’s put a trademark on that!)

Anyway, while I ponder trademarking and servicemarking ROBA, I suggest anyone interested in getting a handle on strategic information management take a look at Pattern-Based Strategy: The Value of Information by Kristian Steenstrup and Tina Nunno.