Are we there yet? ....Not even close.

In today’s rapid-paced, ever-changing economy, the topic of enterprise risk management has gained significant interest beyond the military sector, financial industries, and academia.  Especially with the latest buzzwords surrounding cloud security and cloud risk. Fortunately for blackhats, risk management is infantile and handled in an informal manner.  Just ask Sony how long Sony took to implement their previously-purchased RedSeal vendor solution after the public caught wind of their initial breach. 

When was the last time you have attended a formal risk management meeting?  Did it look like this?   cloud risk management  

Or did it look like this?  

enterprise risk management


 Worse yet, there are no actuarial datasets to use.  DatalossDB is better but much works needs to be accomplished to ensure the integrity of the data is beyond reproach. Verizon’s DBIR is better than nothing, but leaves much desired to arrive at the same conclusions. To this end, I will propose a comprehensive approach to enterprise risk management based on academic and business research.

In the coming months, I look forward to constructive feedback.  We shall begin exploring state-of-the-art risk management’s qualitative and quantitative methodology qualities. Followed by business reasons why risk management remains in institutional neglect.  Along the way, we shall have take aways from several theoretical frameworks, and tools which have been used or could be used to manage risk, such as IBM OpenPages, RiskAoA, custom excel spreadsheets, and other RSA vendor fodder.

Our research will draw ideals from fields not normally associated with enterprise risk management.  In order to isolate important risk drivers, certain perspectives will be had, IE regulatory and political.  One could say this series on enterprise risk management is to promote a greater preemptive organizational outlook.  Assisting institutions to foresee and exploit a business environment’s inefficiencies and reservations.  On the other hand, an evolutionary market perspective will be used to express an innovative manner to uncover risk management data.  I suspect we will find there are many ways to skin a cat to produce creative solutions.


Management Wednesday: BPM isn’t beats per minute.

I was chatting with Alexander Peters and he mentioned an interesting statistic. “…more than half of business process pros operate with immature management practices. Only one-in-five respondents said that their change initiatives fulfill the maturity criteria for managed and optimized initiatives…”

This is quite concerning considering business professionals are charged with ensuring their business unit succeeds.  Yet, it shouldn’t surprise me. Continually, peers tell me about some new process they have to jump through hoops to satisfy a checkbox while hurting their business unit by consuming all available resources. It appears middle management doesn’t understand the fundamentals of constructing and managing processes.

Process management is a repeatable, iterative practice to optimize an entity’s workflow(s).  The basic goals are leaner, greater efficiency, and agile processes. While it is safe to assume, ensure the processes to be optimized / created are set to accomplish the entity’s objective(s).

In the Information Service related-industries, many can find the following three root causes: human error, lacking stakeholder focus, and miscommunication. Personally, I utilize policies, mechanisms, incentives, and / or assurance to provide a stable business unit foundation.  Do not think of process management as the golden egg to solve all woes. One will want to concern their efforts with sustaining and enhancing an entity’s assets and core operations.  

Others have reinvented this wheel numerous times. Reinventing the process methodologies wheel has lead to three different framework classes:

  • Horizontal frameworks deal with design and development of business processes. Resources are focused on technology and reuse.
  • Vertical frameworks focus on a specific set of coordinated tasks.  Resources are focused on pre-built templates, which may be readily configured and deployed. 
  • Lastly, full service process frameworks have five basic abstractions and distinct resources:
  • ·       Scoping processes and project(s)
  • ·       Designing and modeling processes
  • ·       Rules engine
  • ·       Flow engine
  • ·       Testing and simulation 

Instead of wasting your two minutes of attention, in later posts, we will be covering each specific abstraction. 


Quote of the month

"What?! I'm going to roll into a vineyard with a chick in a dog collar?  Come on, dude!  I completely dispute that because I wouldn't roll into a vineyard with somebody like that.  That's not, that's not.  Look at me dude.  I'm not, you know.  What am I, ozzy osborned out right now?  I love Ozzy, don't get me wrong.  But we are not shouting at the devil right now, barking at the moon, or any of that stuff.  We are in the fucking woods.  Haha.  Digging in dirt.  No dog collared, eye-liner chicks allowed.  That is just embarrassing."

- James


Tough Mudder Training regime suggestions

Hilarity!  While building my Tough Mudder training regime , I came across these suggestions: 

- “I get drunk, go into a biker bar, and find the biggest, baddest looking guy there, and ask him if he is Richard Simmons.”
- “I’m not. I’m just gonna wing it.”
- “Sexual intercourse.”
- “YooHoos and ding dongs.”
- “Eating crushed glass and wrestling giraffes to the ground…”
- “I’m doing the event at the end of October. With not being a runner, I’m currently running on week nights, adding a mile to my goal each week. “Hopefully” I’ll be in running condition by the end of the Summer. Then will come the upper body part.”
- “I fight bears.”
- “Marlboros, beers and then a good run with my dog.”
- “Tazering myself and lighting a sleeve on fire while I workout.”
- “Running 4 times a week. Weight training! Eating healthy.”
- “By doing Tough Mudders all year round!!!”
- “Praying…a lot.”
- “I am alternating between p90x, Insanity, and the TM Boot Camp listed on the website.”
- “Cold showers!”
- “I’m drinking a thick glass of mud every morning for breakfast.”
- “I did the tough mudder recommended training that’s on the site. I did that for 3 months 3 times a week. Tough Mudder vt was amazing training def helped. Also I lost 26 pounds and I’m a size 2 when I used to be size 7!!!”
- “Binge Drinking and Chain smoking.”
- “Lots of whiskey.”
- “A little snowboarding, a little trail running, some white water rafting, two weeks on Mt Hood and some TRX… man I had better step it up, I’m getting soft in my old age.”
- “Beating myself over the face and running a lap every time someone mentions Tim Tebow.”
- “Starting a year ago I did p90x twice. Then starting in february I started running every other day with p90x discs in between. I’ve ran 170 miles so far. Tons of hill running mixed with body weight exercises. lots of water, no fast food.”
- “Drinking Dos Equis.”
- “Arm wrestling Chuck Norris. Once I beat him, I’ll be ready.”
- “Shake weight.”

Chanage Management management?

When startups attempt to mature beyond bad habits, management has a hard time discontinuing slurping bad practice’s teat.  Does “We didn’t have to do this at Employer X.  At Employer X, we had root so we could respond quickly to down time incidents.” sound familiar to you?  Unfortunately, too many I.T. / I. S. executives do not understand the business concepts behind change management and how it relates to Operations.  Thankfully, they understand it in their political battles.   Executives understand “high velocity management.”  Commonly, this is referred to as running fast and loose.  It is an optimistic approach.  Unfortunately, optimism breeds outages.  Principle of Least Privileges does not jive well with running fast and loose.  Management views this principle perpendicular to their financial budget and head count.  Management does not understand bleeding edge change management concepts push least privileges into a process, instead of the traditional function and role / job responsibilities.  Bleeding change management concepts spawned out of the idea of entities automating themselves out of a job.  Change Management personnel desire less redundant overhead, lean business processes, and ensuing streamlined policies and processes.  Typically, service oriented architected institutions have processes put into place which take ideals, concepts, and provides a service.  In many service-oriented organization’s operations, change management tools would be delegated with administrative privileges.  As a result, one would apply built-in gating processes to provide checks and balances.  If Alice can push a change to QA without QA’s approval, then one has bigger issues than a least privileges violation.  One should look their miscommunication(s.) 

Happily, as a result of maturing change management, communication improves.   From conception to end of life, diverse teams with vastly different objectives work together to achieve the same goal: deliver business requirements as rapidly as possible and make money.  Every resource is driving towards that goal.  If every process is not driving towards that goal, watch teams bounce into each other like drunks in a bar.  These drunken teams will go through the motions and the organization’s business side will not see any value in employing these teams.  Ask a prominent cloud billing service about why they closed their China office.  Change control endows organizations to become reactive to fluctuating market forces in order to be as aggressive as possible, and outpace competition.  Organizations desire to have this in place moving deftly and systematically as possible to ensure that they stay in business.  Beware, organizational structure and poor management may lead to delays, duplication of effort, and disrupt objectives / progress. 

Don’t worry; vendors have the latest Silicon Valley buzzword tool to mitigate any negative outcome.  If you aren’t sure, head to RSA-SF and walk Exhibit Hall.  Do not believe sales account executives.  They are incentivized to provide for their family, and grow revenue.  Tools will never be your Holy Grail.  “My cloud DLP solution will solve all of your data exfiltration threats.  All you have to do is setup a Narus sniffer, log events to Arc Sight and spend $60,000 on professional services.”  With that being said, pick the right tool(s) for the job.  Properly utilized tools will enable an organization’s processes to become more effective, reliable, and agile.  Be careful of a common process pitfall; when tools do not work with each other, they remain tools, outside a process.  One’s mileage will vary. 

One last item:  Many times, I see deployed tools support previous organization’s bad habits and broken processes.  The architects and implementers forget it is the goal of business processes, which reinforces and specifies the reasons for and how to best use the tool.  Change management is really simple, do not make it harder than what it needs to achieve: simplicity, automation, delivering, and empiricism






Management Wednesday

Management 101 - Negotiating

Observe yourself negotiating

The more time one spends preparing is directly related to win/win results

People undervalue value creation opportunities.  

Once again, People undervalue value creation opportunities

However, value creation and distribution are hard areas to get right

There is a tension between creation and distribution

Beware, one can exploit cooperative behavior. 

Do not be aggressive.  Aggressive behavior can spiral downward.

Act with purpose, not reactively.

 Think of negotiation as teaching.  Teach others why you are right.

 Explicit discussion helps

 Maintain a separate relationship from substance

 NEVER try to buy the relationship

 Unconditionally offer a great relationship

 Be easy to work with

 Be trustworthy

 Be respectful, polite, kind, cheerful, etc….

 If one is the seller, ask questions.  Attempt to ask significantly more questions than statements.

 ACTIVE listening skills - Talk to them as if they were a friend

 Ways to encourage active listening - Silence, Minimal encourages, Paraphasing, Emotional labeling, Summarizing, Open questioning, and, lastly, I statements.

<RANDOM tidbit> If you deal with kidnappers, make it a pain in the ass for the kidnappers to get your money.  Most mexicans, columbians, and the sort kidnappers will not deal with americans due to the pain induced by the FBI etc.  “You want me to sell my house?  Oh, ok. I talked to my realtor and says that it isn’t a good time to sell.  I can send you all of the money in my checking account….”

 Find out their interests

 Ask about them, what they want, their interests - Make sure to see what they talk about and how long. Give them the freedom to talk.

 Suggestion options, ask for criticism - ask them to criticize your idea.  “What are the problems with my idea?”

 Tell them what you think their interests are - offering them a draft that they can markup

 Tell them your interests.

 Give them a role in problem-solving - think of them as a role in a movie where they get to solve the problem, being the hero of the movie -  we can do the password like this or we can do it like that.

 Knowing interests typically helps the relationship

 Give them time to find solutions.   “I do not need an answer now but lets think about how to solve this….”  If there is no answer in some acceptable time frame, then take charge….

 Generate options - make sure to control the negotiations.  Do not loose control.

 IF one can control the negotiations, he/she can influence the attention.  Never ask THE question, aka “Do you want to buy a car?”

 Invent creative ideas for each issue.

 Invent in preparations and in negotiations - Talk about options each side agrees in.

 Explicitly disavow commitment.

 Encourage stupid ideas

 Rearrange packages to add value

Present them with choices - would it be better for you to do it this way or that way?  Listen, I have three ways to satisfy my needs and requirements.  What do you prefer?

 If one is able to model the negotiations in a simple manner with weights and measures, use Pareto Efficiency modeling.

 At the onset of the negotiation, look for high and lows.

 Ask yourself, “How we can earn trust at the start?”

 Read a few of the papers by Kathleen McGinn -> You will see those with no emotional baggage or ties win overall.  This emotional game is nested in every negotiation with every situation.  MAy make people more easy going.

 One can use the Ultimatum game to show Humans are irrational.  Economists/negotiators HATE this and need to recognize this.  Most people are irrational because it is worth some value of resource to punish the other person.  Rather rational behavior ;-)

 Study Nash Equilibrium then realize it doesn’t hold true.  Humans have a sense of reciprocity.  Gender and moral/cultural norms override Nash’s equilibrium.  

 Lastly, insist on fair criteria

  The Fair criteria should be independant standards which suggest what the outcome should be.  

 Beware, fair criteria can be used as a sword - “Here is why this is fair..” and/or as a shield - “How can I explain to my boss why that is right….”

 Truly, how do I know this is fair?

 Your other party will be open to persuasion if they see that you are


 The same agreement is worth more if it comes with a story of why we won

 Embrace stupidity as a tactic

Legal Disclaimer

The information, ideas, thoughts, friends, friends opinions, links, etc. found through my blog do not reflect the thoughts, opinions, policies, or ideas of my company, my friends, my neighbors, my laptop, or my trash. All rights are reserved and lefts reserved too… The comments, opinions, and views expressed by others do not necessarily reflect the views of myself or any organization of my personal or professional affiliation. All comments, links, and opinions are the sole responsibility of their writers.