Archive for December, 2010
Michael D. Moberly December 31, 2010
As stated numerous times in this blog, I am a long time advocate of exploring avenues to identify, use, and exploit intangible assets (non-financials) insofar as delivering value, sources of revenue, and developing tactical-strategic ‘building blocks’ (foundations) for a company’s future growth and wealth creation opportunities.
In few instances can those outcomes however, be achieved-realized without effective and consistent management, stewardship, and oversight of the assets, which, in turn, will produce improvements in a company’s economic and competitive advantage health!
Respectfully, it just seems to me, that view does not quite rise to business management ‘rocket science’. Make no mistake, I don’t say this in a condescending or disrespectful manner to the multiple millions of hard-driving management teams and boards who, for a variety of reasons and internal/external influences, apparently find crossing that particular business chasm to intangible assets more akin to the Grand Canyon versus a trickling stream.
Almost without exception, most company’s, regardless of size, industry sector, or maturity, produce, possess, and use intangible assets, sometimes without fully recognizing it, but, nevertheless, in most instances, they actually deliver (some) value, revenue, and competitive advantages for the company.
So where’s the challenge? Shouldn’t it be relatively easy to influence management teams, boards, and investors to really engage their intangibles in what I view as being relatively straightforward, non-intrusive, and inexpensive steps that can likely lead to improvements in their company’s financial and competitive health and mitigate risks?
For one thing, it’s increasingly clear today, that conventional financial statements and balance sheets are not providing management teams, boards, and prospective investors with a sufficiently complete or necessarily clear picture of the company’s overall soundness. That reality doesn’t always fall on deaf ears. Many decision makers recognize, in today’s rapidly progressing and irreversible knowledge-based (business) economy, that 65+% of most company’s value and sources of revenue actually do lie in – evolve directly from intangible assets and other forms of non-financials.
There’s little doubt in my view, that one of the challenges lies in continued and singular reliance on conventional financial statements and balance sheets. They do influence some management teams, boards, and investors to sustain a certain level of skepticism, uneasiness, and even dismissivness about how to best cross that aforementioned chasm. The chasm in this sense, again, represents the economic fact that the real sources and drivers of most company’s value and revenue today lie in (intangible) assets that seldom, if ever, get reported – accounted for on those conventional financial statements other than in the form of the all-inclusive ‘goodwill’!
True enough, conventional financial statements and balance sheets have value, and it is not the intent here to advocate their disregard because they do describe whether or not financial targets have been achieved, and, in that sense, remain a very necessary and important measurement tool . But still, they simply don’t tell the whole story about a company’s status or its potential. The prudence of striking a better balance between the oversight, stewardship, and management of financials and non-financials would likely reap solid benefits and should not be so readily dismissed.
Admittedly, conventional financial reports (balance sheets) were not really designed to capture (describe) the many and various qualitative aspects, vital signs, and indicators that we now know are directly related to businesses success, i.e., those found in a company’s intangibles (non-financials). Today’s reality is, tracking/monitoring non-financial aspects of company performance, i.e., its intangibles, is not a time-resource luxury rather it’s truly become a strategic necessity and fiduciary imperative.
There are a number of factors in play today that should be influencing management teams, boards, and even investors to pay more (consistent) attention to monitoring non-financial – intangible asset performance indicators. They include, among other things:
· Increasing global competition.
· Growing connection between a company’s intangible assets, their value-supply chain, and success, profitability, and sustainability.
· Heightened respect for the value of a company’s reputation (image, goodwill).
· Necessity for accelerated product innovation-launch times
· Boundary-less speed which information (assets) can be disseminated.
· Increasing (government) regulatory emphasis on reporting, measuring/accounting businesses non-financial performance, ala intangible assets.
While visiting my blog, you are encouraged to browse other topics/subjects (left column, below photograph) . Should you find particular topics of interest or relevant to your circumstance, I would welcome your inquiry about consulting, conducting an assessment, training program, or speaking engagement to your company or professional association at 314-440-3593.
Bottom line; through effective and consistent management, stewardship, and oversight of intangible assets, they can be one very plausible solution! Postponing or waiting until a company is partially or totally broken to take full advantage of intangibles and non-financials, while it may not be too late, is not the most prudent or forward looking course of action in today’s increasingly competitive, aggressive, global, and winner-take-all business environment.
The ‘Business IP and Intangible Asset Blog’ is researched and written by Michael D. Moberly, president and founder of Knowledge Protection Strategies – http://kpstrat.com. The intent of Mr. Moberly’s blog is to provide insights and perspective to aid in a cross-disciplinary approach for identifying, assessing, valuing, protecting, utilizing, and extracting value from intangible assets. Your comments regarding my blog posts are welcome at firstname.lastname@example.org.
Michael D. Moberly December 21, 2010
This post is about explaining a persistent challenge that I routinely experience insofar as influencing management teams, boards, and investors to take some relatively straightforward, unintrusive, and inexpensive steps to improve the financial and competitive health of their companies.
Largely, that challenge, evolves around the importance, if not fiduciary responsibility, to put in place practices for the stewardship, oversight, and management of the intangible assets, or non-financial (value, revenue, competitive) drivers that company’s routinely produce and, in most instances, already possess but continue, for a variety of reasons, to be overlooked, dismissed, or neglected.
In 2004, and again in 2007, Deloitte produced two very relevant and much needed reports. The first was a survey, conducted in cooperation with the Economist Intelligence Unit, titled ‘In The Dark: What Boards and Executives Don’t Know About the Health of Their Business’. The second, published in 2007, was a follow-up report, similarly titled, but with one important caveat, ‘In The Dark: What Many Boards and Executives Still Don’t Know About the Health of Their Business’.
Both papers convincingly expressed the view, which I’m in total agreement, that conventional financial statements do not provide a complete or comprehensive picture of a company’s ‘soundness’. Management team, board, and investor belief that conventional financial statements are the only, or even the best tool for demonstrating-conveying a company’s soundness, should certainly be questioned, particularly in the rapidly progressing knowledge-based (business) economy in which 65+% of most company’s value, sources of revenue, and ‘building blocks’ for future wealth creation lie in – evolve directly from intangible assets or non-financials.
There’s little doubt, continued (sole) reliance on the conventional, does influence management teams, boards, and investors alike, to be skeptical, dismissive, neglectful and, in some instances, utterly blind to the economic fact-reality that the underlying and/or foundational sources and drivers of most company’s value, revenue, and wealth creation is their non-financials or intangible assets.
Let there be no doubt though, conventional financial statements (balance sheet) emphasis on identifying whether or not financial targets have been achieved, remain necessary, no argument here, and something which this blog post is not advocating doing away with.
But, as both Deloitte reports unequivically conveyed in 2004 and 2007 respectively, its was a prudent business practice then, and it must be the foreseeable future, for management teams and boards to work diligently, and I might add, quickly, to strike a better balance between the oversight, stewardship, and management of financials and non-financials. Lest this not be misconstrued, such action does not – need not entail paying less attention to one over the other. Rather, it requires paying a more balanced attention to both!
So why is more ‘balance’ necessary? The key reason in my view, which was also conveyed in the Deloitte reports, is that conventional-traditional financial measures are simply not designed to capture (describe) the many necessary (critical, essential) qualitative aspects that we now matter-of-factly know, are directly and consistely related to businesses success, i.e., those found in a company’s intangibles (non-financials) such as the quality and strength of a company’s relationships with constituencies up and down its respective value-supply chain.
It’s become a managerial ‘no brainer’ now that tracking/monitoring non-financial aspects of company performance, i.e., its intangibles, is not a time-resource luxury, rather a necessity and fiduciary imperative.
Fortunately, according to Deloitte, and which my own experiences certainly bear out, there are several factors which are now at work influencing (driving) boards and management teams to pay more attention to ‘monitoring key non-financial – intangible asset performance indicators’. These include, among others:
1. increasing global competition, irrespective of company size, sector, or maturity.
2. the growing influence/importance of ‘relationship capital’, i.e., customers/clients relationships up and down a company’s value-supply chain.
3. management team and board heightened awareness of the real and foundational value of a company’s reputation and the attendant risks and potential for hard hitting and sometimes irreversible and almost instaneous company wide cascading effects that can occur if certain risks actually materialize.
4. rapid-accelerated product innovation-launch times (globally speaking) before real competitive advantage erosion and/or undermining will occur.
5. the globally boundaryless speed which information (assets) can spread-be disseminated through the Internet.
6. the increasing importance – influence of human capital, i.e., employees internally, as well as employees dispersed externally throughout the value-supply chain.
7. greater scrutiny by various global – virtual media forums and outlets on matters/issues other than solely a company’s financial performance.
8. increasing government regulatory agency emphasis (globally and country specific) on reporting, measuing/accounting businesses non-financial performance ala intangibles.
It would be most desireable if management teams, boards, and investors begin to regard the oversight, stewardship, and management of non-financial (intangible asset) metrics not merely as some altruistic endeavor, rather as an important, necessary, and prudent business practice integral to sustaining and enhancing their company’s value, revenue, profitability and competitiveness!
The ‘Business IP and Intangible Asset Blog’ is researched and written by Michael D. Moberly, president and founder of Knowledge Protection Strategies – http://kpstrat.com. The intent of Mr. Moberly’s blog is to provide insights and perspective to aid in a cross-disciplinary approach for identifying, assessing, valuing, protecting, utilizing, and extracting value from intangible assets. Your comments regarding my blog posts are welcome at email@example.com.
Michael D. Moberly and Dr. Jongpil Cheon December 17, 2010
Since security, risk management, and corporate defense (types of) programs began to achieve a semblance of professional standing beginning in the mid-to-late 1950’s, they have been variously characterized as being isolated, siloed, stand alone, and/or mere support functions operating at the fringes of a company. Collectively, their responsibilities were overwhelmingly directed toward protecting tangible (physical) assets with little or no attention being directed to intangible (non-physical) assets. And, while there have been consistent initiatives to connect – create relationships between the role and function of security and risk management to a company’s revenue, profitability, and/or sustainability they have largely been anecdotal and company specific.
Today however, as most security-risk management practitioners know, but specifically addressed here by Sean Lyon and Robert Liscouski, members of the Intangible Asset Finance Society, the role, function, and responsibilities of security, risk management, and overall corporate defense have changed and continue to change, for the better, at a fairly rapid pace.
For the most part, those changes are a reflection of the global economic reality that 65+% of most company’s value, sources of revenue, sustainability, and foundations (building blocks) for future growth and wealth creation now lie in – are directly related to intangible assets rather than tangible (physical) assets. This economic fact contributes to pushing security, risk management, and overall corporate defense, from operating primarily at the aforementioned fringes of a company, directly into board rooms, where both Liscouski and Lyon strongly agree it should be!
The following represents an account of the Intangible Asset Finance Society’s monthly meeting (September, 2010) titled ’Enterprise Security’ in which the very experienced thought leader’s Sean Lyon of R.I.S.C. International and Robert Lisouski of Implant Sciences served as speakers to discuss a variety of issues related to intangible assets in the context of enterprise security.
There’s little doubt that management teams and boards that make the prudent decision to act, and act now, on the sage counsel, herein offered by Lyon and Liscouski, will increase their company’s chances of achieving the desired level of success, profitability, and sustainability which shareholders and stakeholders, up and down their respective value and supply chain, are both expecting, and demanding.
On the other hand, management teams and boards that remain dismissive about or elect to ignore the very real and asymmetric risks and threats that exist, or, worse, wait until a risk materializes, many of which are more challenging to contain, yet carry the potential for immediate impact to a company’s most valuable (intangible) assets and the economic and competitive advantages those assets produce are, all the more likely to succumb to failure in one form or another.
Certain government sectors and agencies clearly play a role with respect to providing guidance and opportunities to directly aid the private sector in identifying, assessing, and managing certain business risks, and executing ‘corporate defense management’ types of programs. It’s certainly advisable for companies to examine and leverage all of the ‘guidance’ that’s freely evolving from an ever growing number of government agencies about security and risk management.
Thus, there is literally no need today for companies (CSO’s, CIO’s, risk managers, etc.) to wholly reinvent the security and risk management wheel because there’s an abundance of guidance that’s readily available. It is important to be able to know where and how to tweak such guidance however, to accommodate and reflect each company’s operational nuances and sometimes, industry sector.
While its highly unlikely that a government agency will ever (literally) show up at your company’s doorstep for the sole purpose of extending an offer of direct assistance, the private sector should not wait. Rather, there is an implicit responsibility for companies to (a.) take affirmative steps and actions now to identify, manage, and mitigate their risks to keep their company reasonably secure, and (b.) deploy some manner of corporate defense management (umbrella) program.
A Corporate Defense Management Approach Is…
Corporate defense management, according to it chief architect, Sean Lyon, of R.I.S.C. International, represents a company’s collective program (efforts) for ‘self defending’ against different hazards and risks for the primary purpose to accommodate its business objective. Examples of hazards-risks, Lyon suggests, include fraud, litigation, natural disasters, unacceptable risk taking, and reputation risks, among others.
He says this because he (Lyon) believes that today, (1.) boards are under steadily rising pressure to ensure their company can adequately defend itself against a growing array of increasingly sophisticated and asymmetric risks and threats, and (2.) that, companies take all reasonable steps, from a fiduciary responsibility perspective, to put appropriate security, risk management and ‘corporate defense management’ programs in place.
But, quite unfortunately, Lyon points out, in many companies, the corporate defense programs are ‘siloed’, that is, they are not aligned with one another, and often function independently and in isolation. In other words, there is little or no interaction, collaboration, or sharing of information (intelligence) amongst the business units variously charged with a particular aspect of corporate defense, i.e., security, risk
The ‘corporate defense management’ model factors different components with the objective being to meld those components together so they work/function in a coordinated fashion with each component interacting with other components so as to (1.) reduce duplications, (2.) create efficiencies, (3.) identify (security, risk, defense) gaps within a company, and (4.) identify actual responsibilities Absent this (corporate defense) management model, each component, would likely continue to function independently with little or no sense of inter-connectedness between the components.
Mr. Lyon characterizes the establishment of a ‘corporate defense program’ in an umbrella fashion that encompasses the following multi-dimensional components, (1.) corporate governance, (2.) risk management, (3.) compliance management, (4.) security management, (5.) resilience management, (6.) controls management, (7.) assurance management, and (8.) intelligence management. The key, Mr. Lyon says, is that each of these components becomes strategically aligned and tactically integrated.
So, by developing a corporate defense management model, as described by Lyon, companies can more readily minimize and mitigate risks without the almost assured inevitability today of experiencing a cascade of consequences, should certain risks-threats materialize.
The desired outcome of a ‘corporate defense program’ (approach) is that it collectively and adequately defends a company while uniting and aligning the heretofore, siloed components, thus rendering a company more resilient, while minimizing the potential for any security – risk management redundancies. This is achieved, Lyon points out by, integrating performance management techniques designed to converge what previously appeared to be cross-functional components, into becoming more inter-dependant, inter-linked, and inter-connected.
Adopting A Stakeholder’s View Is Necessary
Lyon also asserts that a successful and effective ‘corporate defense’ program, requires not solely coordination and integration, but perhaps, most importantly, a clear understanding of what’s necessary to safeguard the interests of (a company’s) stakeholders.
In today’s increasingly competitive, predatorial, and often times winner-take-all global business (transaction) environment, this point cannot be emphasized enough, i.e., that management teams and boards literally adopt a stakeholder view with respect to their security – risk management (corporate defense) programs and strategies. In other words, they absolutely must take into account all parties who carry a vested interest in their company, i.e., clients, shareholders, stakeholders, regulators, employees, etc.
The Corporate Defense Model and Conventional Risk Management: Is There Really A Difference?
Mary Adams, of I-Capital Advisors, posed a worthy question for Lyon and Liscouski; is the corporate defense management model and conventional risk management interchangeable, in other words, is there a substantial difference between the two? In response, Lyon suggests conceptually, the corporate defense management approach takes a more strategic view in which security and risk management activities are (ideally) coordinated under a single (enterprise wide) umbrella.
A fairly consistent challenge to incorporating this approach though, is that ‘risk management’ remains largely ill-defined as pointed out by Robert Liscouski of Implant Sciences. In other words, how risk management and its associated responsibilities are operationalized are often company and/or circumstance specific. This makes it somewhat difficult, Liscouski suggests, to talk about or address risk management with consistency and specificity.
Of course, a significant downside to this absence of across-the-board definitional and operational clarity (about risk management) Liskouski goes on to say, is that it often affects how a company, not only approaches risk, but assess its risks, and ultimately tries to manage its risks.
Knowing Your Company Is A Simple, But Very Essential Underlier To Success
Robert Liscouski, an experienced and well grounded expert in the risk management arena states, quite correctly, when it comes to a company assessing its risks the initial responsibility of management teams and boards is to clearly understand what type of business their company is actually in.
While Liscouski’s view may sound simplistic and even somewhat irreverent toward management teams, boards, and others charged with a company’s overall security and risk management, there’s a great deal of truth underlying his premise, inasmuch as it represents a far too often overlooked element of the larger picture. That is, its quite routine to see companies endeavoring to apply a generalist, one-size-fits-all risk management approach (template) to their company without fully taking into account or understanding their company’s special circumstances, the nuanced ways in which their company functions, the types of transactions it routinely engages, the company’s stakeholders and shareholders, and equally important, the company’s intangible assets.
Ultimately, Liscouski points out, it’s absolutely essential for all parties – business units that are part of a company’s security, risk management, and defense ’umbrella’ to really understand three key things; (1.) what contributes to the execution of the business, (2.) what are the company’s responsibilities to their shareholders, and (3.) how the company, as a whole, is executing on that (their) responsibility?
And here, Liscouski suggests, lie many opportunities to engage in education and awareness directed to company management teams and boards. That is, time and effort should be devoted to elevating their understanding and appreciation for (a.) what their fiduciary responsibilities are relative to risk management, security, and overall corporate defense management, and (b.) how company’s can effectively use those (corporate defense management) components to make consistent and substantive contributions to shareholder value.
Interestingly, Liscouski offers the view that he finds management teams and boards often hold discussions about shareholder value and security’s contribution, but, frequently, it’s just that, a discussion, with little substance, and seldom do such discussions include the necessary context for linking or aligning security, risk management, and corporate defense to ensure their respective contributions actually occur.
Ultimately, Lisouski suggests, when company’s look’s internally, at the various business processes that actually contribute to their market value, shareholder value, and market cap, management teams and boards also need to take a very hard look at those business processes, as a starting point of sorts, to really understand what (assets) warrant protection as requisites to business continuation and resiliency.
Differences In How Company’s Look At – Assess Their Risks
Both Liscouski and Lyon agree that the proverbial paradigm has definitely shifted in terms of how companies look at and assess their risks, which, by the way, both agree, has been for the better. That’s because many company’s now consider (identify, assess) risk, through a shareholders lens. By considering risk through the eyes of shareholders and stakeholders, different perspectives and probably more appreciation (for risk) will be the outcome, compared to the way most risk assessments have been conducted in the past. Previously, risk assessments were largely conducted absent any consideration relative to impacting, one way or another, shareholder value. In other words, security, risk management, and corporate defense practitioners in the past, have taken a fairly siloed – isolated approach themselves.
But, as more companies adopt a holistic (shareholder-based) view of security, corporate defense, and risk management, the benefits of doing so become obvious, such as being better positioned to foresee (anticipate, recognize) potential ‘cascade of consequences’ that will occur, with increasing frequency when certain risks remain unchecked and/or un-managed. Such revelations, of course, prompt an elevated interest in potential cascading affects of consequences, particularly those that can readily ripple through a company’s assets. Of course today, the speed which, in a growing number of circumstances, a single consequence can, quite literally, cascade (ripple) throughout an enterprise, producing along its path, both secondary and indirect (adverse) consequences and impacts is truly amazing.
Adverse cascading consequences, of course, can manifest themselves in various ways within a company, Lyon and Liscouski point out, among them being loss of competitive advantage, erosion/undermining of asset value, create compliance breaches, cause reduced company capabilities through downtime, influence customer/client dissatisfaction, reduced sales and market share, and ultimately, experience a reduction in a company’s overall market value.
Let it suffice to say, that in many instances, today’s asymmetric risks, left unrecognized or unchecked can literally ’creep’ into a company and embed themselves within a company’s culture, not unlike a computer virus or worm, to create, in many instances, a much higher level issue, which in turn, will likely carry more adverse and strategic impacts.
It’s About Processes: Re-Framing How Company’s Think About Security and Risk
To help mitigate, what many of us would refer to as risk inevitabilities, is the need to re-frame how we think about security and risks, particularly in the context of the potential for cascading (rippling) affects and consequences. Again, Mary Adams points out that risk management and corporate defense management need to have a strong focus on business processes. That’s because ’business processes’ are ultimately what twenty-first century knowledge-based, intangible asset intensive companies do, that is, they create and optimize their business processes.
Today, there must be, literally speaking, well coordinated processes that company’s put in place, to not merely engage (risk, security, corporate defense) but also, to ensure they are identifying and managing the right risks, Liscouski says. The right risks, are of course, those risks which, if they materialize, would (likely) produce the most adverse-negative effects along with bringing about a cascade of consequences that would ripple throughout an enterprise internally as well as externally.
So, a critical question Liscouski rhetorically asks is, what kind of business processes do companies need to protect? The answer, he says, lies in identifying (distinguishing) those business processes that (1.) may literally be missing, or (2.) could/should be enhanced. But first, he says, its important to understand the linkages – relationships between particular business processes and a company’s intangible assets.
To achieve this, a company needs well defined (business) processes whereby intangibles can be readily identified and distinguished and their performance (value, materiality, etc.) monitored, not solely for improvement, but to provide a better risk management environment overall.
Human And Relationship Capital, They’re Part Of The Security-Risk Management Focus
Is human and relationship capital part of the security-risk management focus, asks Adams? To be sure, the knowledge emanating from human and relationship capital represent increasingly important and valuable intangibles, where (security, risk management, and corporate defense) attention must not only be directed, but literally factored into the security – risk management equation, Liscouski and Lyon say.
So, as companies engage in more of a shareholder-stakeholder view of their security, risk management, and corporate defense responsibilities and needs, especially in the context of (avoiding, mitigating) the potential for cascading consequences, it’s likely their attention will also be drawn to the reality that when human-relationship capital are overlooked or dismissed, the adverse impacts that will surely result can take the form of reductions in morale and productivity which manifest themselves broadly throughout a comapny as reduced customer loyalty and sales, for example.
Security, risk management, and corporate defense programs really do then, in the twenty-first century, have to be holistically driven which, for the most part, is a significant departure from the past, but nevertheless, is a very significant key to making them work (more) effectively now. Back to the initial point however, company’s that elect to ignore or be dismissive about (their) human, intellectual, and relationship capital insofar as security and risk management are concerned, should not expect those programs to either function or produce the desired-intended results, that is, outcomes that have a bearing on shareholder value.
The Role Of A Strong And Focused Company Culture
A positively embedded (company) culture can set the overall tone, Liscouski suggests, with respect to (1.) how a company will actually manage its risks, and (2.) whether it will succeed by consistently avoiding and/or mitigating certain risks altogether.
So, the necessity (fiduciary responsibility) for management teams and boards to be fully engaged in not just knowing the risks their company faces, but also, the strength of those risks, i.e., the vulnerability, probability, and criticality, while simultaneously being alert to and knowing how best to mitigate certain risks lies, in a growing number of instances, in developing a strong company culture.
If a company is slow to respond to an impending risk, or their eventual response appears weak in the eyes of their constituencies, i.e., stakeholders, shareholders, etc., it will often become a determining factor in – have a bearing on how those constituencies ultimately interpret and respond to the company, internally, externally, publicly, or from within its supply chain, including market impacts.
Reasonable Expectations For Risk Management and Mitigation
An important and certainly timely, and again, mostly rhetorical question posed by Liscouski was, how do companies assess-calculate reasonable expectations about risk mitigation and management and also measure the value of the assets they’re protecting?
Measuring what’s being protected, can take the form of dollars, rankings, ratings, quality, or ranges, etc. Lyon adds though, it’s up to each company to identify their (a.) key performance indicators (KPI’s), and (b.) key risk indicators (KRI‘s). Based on a company’s KPI’s and KRI’s, both speakers agree its advisable to devise a course of action that both ‘fits best’ and compliments what a company may already have in place, i.e., dashboards, balanced scorecards, etc.
Liscouski noted though, there is no single means of measurement (metric) because measurement can be dependant on the nature of a company’s business, and he added, it’s not too difficult to identify, with some precision, the costs associated with an asset (value) loss or compromise, or the investment and/or resources required to protect a company from loss or risk. What’s difficult, he says, is putting an index around security and risk management programs in terms of what they actually contribute to sustaining control, use, ownership, and value of a company’s intangibles. At some point, Liscouski noted, it will be essential to describe a company’s investment profile, i.e., what’s required to actually achieve the desired, if not prescribed, level of security and risk management.
Liscouski advocated the use of financially oriented metrics to ’measure’ the contributions of security and risk management. Again, he suggests, this would more likely compliment any existing (business, performance) metrics a company may already have in use.
Further, financially oriented metrics are often designed to predict forward movement and/or progress, therefore, they would serve to provide greater validity for establishing a business case for security, risk management, and overall corporate defense program contributions. In other words, security, risk management, and corporate defense are not so much dependant on countering and/or mitigating a single (risk, threat) event as they are on producing a desired end result, because that’s what really counts to the profitability and sustainability of a company.
There’s considerable work currently being done in this arena Liscouski says, on three fronts; (1.) the probability (certainty) that particular risk/threats will actually materialize, (2.) strategies to mitigate any consequences, and (3.) the type/amount of investment that is necessary to manage-mitigate those threats/risks.
Still, both Lyons and Liscouski point out that it all evolves around a company’s ability to objectively analyze and assess the risks that are relevant to their key business processes, with company reputation being what ultimately warrants the most protection. A good source to examine this perspective further are Steel City Re’s ‘reputation indexes’.
Again, Lyon and Liscouski agree, we’re really very early yet, globally speaking, in the maturity (level) of companies insofar as being able to recognize and execute on the necessity to adopt a holistic (umbrella) approach to risk management, security, and corporate defense. The likelihood that companies will place (appoint) a single individual in a position to oversee this entire ‘umbrella’ is currently quite rare. Two key factors, Liscouski says affect whether or if companies will begin moving toward more holistic (security, risk management, corporate defense) approaches are (1.) company size, and (2.) the reality that such positions are often (highly) ‘personality driven’.
Both Lyon and Liscouski also agree that today, it remains more art than science with respect to being able to effectively articulate what (1.) a company really needs to protect, and (2.) what level of protection is sufficient relative to managing-mitigating particular risks-threats. One of the challenges is that a company’s investment profile, necessary to achieve a full compliment of security, risk management, corporate defenses, would likely be so exorbitant, that companies could not afford to execute it, let alone, give it the serious, reasoned, and objective consideration it was due.
So, that leaves practitioners with essentially the same, time honored and increasingly risky conundrum, what constitutes enough security for a company? If, for example, a company adopted a five point scale (i.e., 5 = high security, 1 = low security) for describing level’s of security. Under what circumstances could we conceive a company management team and/or board reaching consensus that a 3.5 security level is sufficient relative to a company’s vulnerability and the probability and criticality (consequence cascade) should a particular risk or threat materialize?
A Paradox? When Can Doing Nothing Become A Greater Risk Than Doing Something?
While Liscouski and Lyon are proponents, like many of us, of metrics, they recognize the paradox of ‘doing nothing is sometimes a greater risk than doing something’. They make special note of a position not infrequently conveyed by corporate general counsel’s, e.g., that the company should not do anything because there is too much risk and potential for liability.
For starters, both Liscouski and Lyon urge practitioners to not engage company legal counsel only when problems or challenges arise, rather remain engaged with counsel as consistently and robustly as possible to the point that the relationship evolves as part of – integral to a company’s overall solution tract, particularly when significant problems and/or challenges do arise. As many management teams, boards and security/risk management practitioners know however, on occasion, legal counsel can become an impediment or obstacle to certain initiatives, which is often, in part driven, pure and simple, by a risk averse orientation (predisposition). When this occurs, Lisouski suggests a ‘cultural change’ may be in order, in which an effort is made for counsel to become not merely a legal advisor, rather a genuine business partner (i.e. facilitator, enabler) to company initiatives.
Risk Management and Due Diligence In The Investment Community
Interestingly, both Lyon and Liscouski voiced very candid perspectives about the investment community with respect to security, risk management and corporate defense in due diligence contexts. One perspective offered was that, rarely, if ever does the investment community inquire about a company’s (business) processes either when conducting their due diligence or evaluating a company for possible lending structures.
It’s no particular secret that a significant percentage of prospective lenders and investors simply don’t know about, nor do they receive a sufficient – complete picture about a prospective investment, in terms of whether aspects – components of the investment under consideration are, at risk, Liscouski points out. In other words, they have little or incomplete information about the (intangible) assets that will be in play, i.e., their status, stability, or sustainability. That’s largely because the investment community still tends to apply a classic P&E and/or very conventional due diligence approach to their invest – don’t invest decision making process, in which intangibles are generally overlooked altogether, seldom addressed separately, or in some instances, the words ’intangible assets’ appear no where on any lending form.
Today’s Business Transaction Environment Is Highly Competitive, Predatorial, And Winner-Take-All
In today’s extraordinarily competitive, predatorial, and often times winner-take-all global business (transaction) environment, the opportunity to raise and ability to clearly and succinctly articulate these important (asset security and risk management) issues to management teams and boards is an increasingly essential element to a company’s success, profitability, and sustainability.
Management teams and boards who possess the foresight and receptivity to fully assume the fiduciary responsibilities addressed here, e.g., the stewardship, oversight, and management of their company’s intangible assets, represent coveted starting points for executing and achieving effective enterprise-wide security, risk management, and corporate defense programs.
There remains however, a propensity for many management teams and boards to frame the need for security or risk management only in contexts of large, Fortune 500, multi-national types of corporations, thereby, being dismissive about either the need or relevance of such services for small or mid-size companies. Of course, the reality is, the materialization of risks-threats, Liscouski says, to small and mid-size firms can certainly be more acute and carry far greater and more immediate consequences and criticality compared to their Fortune 500 brethren who are presumably, more able to absorb asset losses, erosion of sales, market share, brand, customer loyalty, etc.
Michael D. Moberly December 10, 2010
I am inclined to characterize the on-going events and acts evolving from the ‘wikileaks’ phenomena as adding several new and increasingly challenging dimensions to corporate reputation risk management.
Those new dimensions, at least at this point in my view, have 10+ elements/variables which in many respects are converging in a somewhat simultaneous fashion which certainly adds complexities to reputation risk (management) convention, i.e.,
1. the reactions – responses by PayPal, Visa, Mastercard, and servers, etc.,
2. the aggressive actions apparently perpetrated by ‘wikileak’ advocates/proponents in the form of denial of service attacks and various forms of hacking, etc.,
3. the demeanor/behaviors exhibited by Julian Assange himself (aside from criminal warrant in Sweden) in terms of whether his website and his actions will ultimately come to be perceived publicly as beting that of a leaker, a journalist, a self-styled technology era solictor, or merely a middle man.
4. pronouncements by Assanges’ supporters and legal counsel, i.e., roll out of presumed defense strategy.
5. the various U.S./foreign government pronouncements and their respective public and non-public initiatives to deflect, mitigate, and/or counter the ‘leaks’.
6. the global ‘talking heads’ that are weighing in on the issue through the conventional, primarily TV media, social medial, and blogs, etc.
7. global open source – transparency and First Amendment advocates weighing in on the issues
8. U.S. DoD’s and DoS’s respective portrayals of the reality that classified and largely embarrassing information has been leaked.
9. U.S. Attorney General Eric Holder’s legal strategies, some of which are being discussed in the media, and
10. the anticipation of what additional, presumably sensitive and/or proprietary information will be released that target particular companies.
Collectively, in their own way, each element/variable above is no doubt prompting some distinctively framed discussions in c-suites and board rooms globally, some portion of which will probably include recommendations for preparing-mounting-executing some form of ‘pre-emptive strike’, e.g.,
1. scouring client/customer lists to identify (assess, project) the potential for ‘wikileak’ types of problems to occur.
2. complete disassociation with or some probationary – alert status for customers/clients that may pose a ‘wikileak’ type of hazard – reputation risk.
3. pronouncements of new oversight guidelines related to selection, retention and/or hosting and payment services to companies that run afoul with the law or whose activities are counter to prescribed ethics.
It is certainly not a stretch, as I suspect others would agree, that we will witness perhaps a parade of companies, in the coming days and weeks engage in some variant of a ‘pre-emptive’ strike as characterized above, most likely in the form of policy changes intended to forestall and/or mitigate what may well be the initial salvo to try to counter a relatively ‘new look’ to the conventional reputation risk.
Unfortunately though, what some companies may overlook or leave out of their ‘risk equation’ is that engaging in ‘feel good’ pre-emptive reputation risk management as portrayed above, are, for the most part, irreversible and may do more strategic harm and present more reputational challenges than the equation allowed decision makers to fully recognize and consider.
The bottom line is, as most prudent business decision makers know all too well, is that a company’s reputation, while being a potentially very valuable intangible asset, it can indeed be very fragile, and once compromised or attacked, unless the company’s reputation-goodwill bank is brimming full in advance, full or partial recovery will be a very costly and time consuming endeavor, if its to occur at all.
Michael D. Moberly December 8, 2010
For some time in the private sector, there has been a significant emphasis on integrating the technological capability to make relevant information available up and down a company’s supply and value chains through dissemination and sharing techniques which are often, in my view, a much tweaked approach to ‘knowledge management’. The well intentioned premise of knowledge management, of course, and its 2010 variants, lies in the notion that more people (employees across functional lines) need and should have access to certain information as a tool, if nothing else, to help simplify decision making processes, i.e., speed up the resolution of a problem, or merely create efficiencies.
In such a global ‘sharing’ environment, it should come as no surprise then that PFC Manning, or whomever the culprit or culprits may really turn out to be, either felt compelled, or acted merely because they had the ability to do so, by engaging in the act of downloading and copying what has been described as largely classified information and making it available to Wikileaks, which is merely one of a multitude of ready and willing global ‘technology’ outlets which when confronted, claim a journalistic orientation which they characterize as rendering them as a ‘first amendment’ exemptees.
Much research and personal experience tells us however that there are literally thousands upon thousands of PFC Manning’s who have the wherewithal and receptivity, if not a penchant, to become an ‘insider’, a term which we in the information asset protection and security arena refer to them. Insiders are a feisty and persistent lot and pose ever present challenges to companies and organizations alike. They come wrapped and immersed in many different motives which collectively form, I presume, a rationale for doing what they do; stealing, disseminating, and/or selling proprietary or classified information to those who otherwise have no legitimate right see/read that information, let alone disseminate and public it in open sources. In the private sector such acts may fall into categories of misaapropriation or infringement. In the government classified arena it’s likely to be called espionage!
When insiders are successful, as it appears PFC Manning has been, not once, but perhaps three or more times, the product of their misdeed can, and often does wreak havoc with its target(s) which today carries many new dimensions especially in the increasingly inter-connected world’s of business and government, not the least of which is straightforward embarrassment on many different levels.
Being somewhat well versed in ‘the insider threat’ arena and the current (on-going) research, the additional risks that this PFC’s illegal behavior has spawned are indeed asymmetric and probably carry long lasting ramifications. Returning to a state of diplomatic normalcy, for the U.S. anyway, will be neither easy nor swift. On the other hand, when circumstances like this occur in the private sector, something which I’m more familiar, there are many financial, personal, and professional ‘fences that require mending’, some of which remain irreversibly broken.
What’s new and clear relative to this particular incident is that there’s no precedent for the shear mass of data/information that was taken aside from perhaps the ‘Pentagon Papers’. But that doesn’t discount or explain away the reality that ‘we should have seen it coming’! By ‘we’, I mean both the public/government and private sector.
The work of insiders, while it may not be the world’s oldest profession, it certainly does, in my view, rank in the top five. And, to add insult to injury, stealth in this instance, was apparently merely a PFC’s rouse of downloading ‘Lady Ga Ga’ music, whomever that is, but, from a remote government computer with access to classified information, I have still have a hard time believing this was the act of a single PFC acting alone.
So, this new breed of insider (threat, risk) has emerged that is more calculating, in some respects more stealthy, and whose acts can potentially cause more irreversible, costly, and immediate damage-harm and embarrassment to a company or organization than their predecessors who were largely confined or limited to stealing only ‘hard copies’ that they could put in the proverbial shoe box and carry out of a building under their overcoat, ala the former Detroit auto executive who literally put paper copies of ‘plans, intentions, and capabilities’ of his former employer to take to his new European automaker employer as somewhat of an arrogant, yet very strategic ‘housewarming gift’.
Let me be clear though, this post is not so much about the insider threat posed by the ‘Wen Ho Lee’s who was originally charged, circumstantially at least, with compromising classified materials belonging to a U.S. national laboratory and giving them to an adversary. While this post does have, in my view, considerable relevancy to the classified arena in terms of the types of assets now being targeted, this post is also a ‘wake up’ of sorts to the millions of small and mid-size enterprises (SME’s) that have developed unique and valuable sets of intangible assets that literally deliver (underlie) most company’s value, revenue, competitive advantages, and market position.
When an SME experiences a theft, misappropriation, or compromise by an insider of one or more of its key intangible assets, while the consequences are certainly not equivalent or comparable to national security breaches, their impact to that SME, in terms of lost revenue, undermined competitive advantages, lost market position, etc., can be, and often is, devastating and irreversible.
So, as this construct, which I call ‘the new insider’ emerges, studies and research conducted by DoD’s Personnel Security Research Center and Carnegie Mellon University’s CERT unit provides important and timely credence and relevance.
A particular PERSEREC study, in my view, contributed significantly to my framing of ‘the new insider’ and the risks-threats they posed by putting it in a very compelling and rational global context. The study which I’m referring is appropriately titled ‘Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to Insider Espionage’. It identified some very ominous challenges governments and companies alike face, relative to trying to deter, prevent, combat or mitigate, however one wishes to portray it, insider risks and threats. The four key one’s (taken from PERSEREC’s study) in my view, are described (paraphrased) below:
1. Fewer employees today, and presumably in the future, are (will be) deterred by a conventional sense of employer loyalty. In other words, they have a tendency (proclivity) to view theft of information assets to be morally justifiable if sharing those assets, they believe, will benefit the world community or prevent armed conflict…
2. There is a greater inclination for employees who are – will be engaged in multinational trade-transactions to regard unauthorized transfer of information assets or technologies as a business matter, rather than an act of betrayal or treason…
3. The value of – market for protected information assets, presumably regardless if it is a company’s proprietary information or trade secrets or a government agency’s classified information, has elevated as those so inclined, i.e., insiders, recognize it can be sold for a profit to an ever widening range of receptive global entities…
4. Companies are at greater risk for experiencing insider theft of information assets than previously because there is no single countervailing trend to make it more difficult or less likely to occur…
So, designing effective practices-techniques to mitigate, counter, and ultimately defend against the insider threat, whether it be PFC Manning, or far more technologically sophisticated players, should, above all, not be based solely on or unduly prejudiced by (a.) past practice, (b.) anecdotal (internal, external) snap shots in time, or (c.) generalized assumptions about ethnic allegiance. Rather ‘defenses’ to the broad and complex phenomena of insider threats should be well grounded in the relevant, current, and applied research and findings of highly specialized research as noted here.
Let it suffice to say, insider (threat) challenges, left unchecked, or poorly addressed, can produce wide ranging cascading affects that can instantaneously ripple throughout a company or government agency. Such risks are unlikely to miraculously recede or fade away through attrition, terminations, or resignations, etc. Rather they require execution of best practices that reflects and can rapidly adjust to forward looking research, not merely plugging yesterday’s leaks.
Michael D. Moberly December 6, 2010
Given the well warranted attention of late to ‘cyber security’ and ‘cyber warfare’ there absolutely should be no debate nor question about the risks and strategic (cascading, infrastructure) chaos and havouc that such deliberative (cyber) attacks could cause.
As an information asset protection practitioner however, it appears the narrative is being rather narrowly framed or perhaps overly influenced by a cyber (IT, computer) security orientation leaving little or no recognition or resources for protecting critical information that’s often misperceived as existing solely in electronic bits and bytes formats.
By framing (public, private sector) information protection – security policies and practices primarily through a cyber security and/or attack lens, which, make no mistake are indeed serious and warrant attention, offers insufficient attention, in my view at least, for the economic fact that today, 65+% of most company’s value, sources of revenue, sustainability, and ‘building blocks’ for growth lie in – are directly linked to intangible assets such as a company’s proprietary know how, intellectual property, competitive advantages, brand, reputation, image, goodwill, etc. In other words, a company or organization’s most valuable information and intellectual capital-based assets may not be found in computer-IT systems.
Information protection policies and practices with a dominant IT – cyber (risk, threat) orientation can serve to minimize, if not undermine, the equally important message (reality) for companies and organizations operating in the knowledge-intangible asset based economy, which is, everyone has, not only those in corporate IT – cyber security units, responsibilities for safeguarding proprietary mission critical information, regardless of the format that it exists or how it is stored.
Today, information asset protection and cyber security policies and practices must be collaborative and cross-functional initiatives. As information security specialists know, proprietary – sensitive business information often percolates throughout a company or organization and is not strictly confined or limited to what is accessible solely through one’s laptop, desktop, or ‘from the cloud’. In other words, mission essential and value/revenue producing (intangible) assets exist as intellectual, human, and structural capital and organizational capability.
To be sure, information security policies/practices that infer, by having a dominant IT – cyber security orientation, i.e., all valuable, important, and proprietary information (a.) evolves from, (b.) is stored in, and/or (c.) is backed-up by an IT system, can send a misleading, if not erroneous message to employees which is, ‘if the company’s IT system is proclaimed to be secure, then the company’s sensitive, proprietary and competitive advantage information must also be secure‘. But, in today’s increasingly predatorial, globally competitive, and winner-take-all business environment, that’s an assumption (message) no company can afford to convey, inadvertently, or otherwise.
For the unconvinced, try listening to cell phone conversations in hotel lobbies and airport lounges, glance at the laptop screen of the person seated next to you, or view social media pages and profiles of key
employees. The ‘roadmaps’ to a company or organization’s crown jewels which an adversary can hear or observe in these, and many other circumstanes that are well outside the conventional cyber (computer/IT) security realm is genuinely astonishing.
It is certainly not my intent to be dismissive about our capability to rapidly identify, assess, and successfully and consistently thwart the very real risks and threats posed by cyber attacks which, as most realize, can target specific centers’ of the U.S. infrastructure, i.e., banking, healthcare, transportation, energy, etc. Having effective defenses against cyber attacks are an essential ingredient to our national and economic security and sustainability.
But, its also important to recognize that both (cyber) terrorist organizations and economic/competitive advantage adversaries can acquire, with varying degrees of ease, a single company or organization’s most valuable and treasured trade secrets and competitive advantages and literally wreak economic and market havoc, one company or one organization at a time. As former FBI Director Sessions is credited with saying, ‘our economic security equates with our national security’.
Michael D. Moberly December 3, 2010
The decision by Craig’s List to shut down its ‘adult services’
section, fell, in my view, into the no-brainer category. I am confident
there have been numerous and probably on-going meetings over the past year
among the company’s hierarchy, in which ‘what to do about their adult
services section’ was a key action item on the agenda. I am equally
confident the room in which those discussions took place had a fair number
of legal, public/media relations, reputation risk, and financial advisors
on hand, each offering their perspectives and projections about the
outcomes of various courses of action under consideration.
It’s not rocket science to assume the consensus reached in most of those
meetings, at least up to the September 4th decision to suspend the adult
services section, had something to do with the economic fact – business
reality that the adult service section was a consistent revenue generator
to the tune, we’re told, of $37+ million per year.
The situation Craig’s List eventually found itself in, was ‘company reputation
risk management 101‘, pure and simple.
I suspect during some of the initial meetings among Craig’s List hierarchy,
when the ’what should we do about the adult services section’ question was being
discussed, at some point, consensus was reached to ‘ride this out’ for as long as
possible which translated as, unless and/or until the adverse public reaction
rises to some pre-determined level, e.g. 15+ state’s attorney general’s
filing civil actions and going public with their admonitions, that the
remaining (last resort) option would be executed, i.e., shut down the
adult services section altogether.
In today’s extraordinarily competitive, aggressive, intertwined, and
web-based services arena, company reputation risk is global, often relatively
fragile, unless that is, your company’s reputation ‘bank’ is brimming fully, and generally vulnerable to a range of spontaneous, inadvertent, and/or purposefully executed acts or events.
But, from a company reputation risk management perspective, the Craig’s List situation, was not specifically sparked or orchestrated by a single special interest group blog blitz that went viral.
Instead, the situation experienced by Craig’s List was entirely of their own making and their own decisions. The adverse sentiment and reactions to their adult services section had been simmering above and
below the surface for many months presumably as Craig’s List decision makers made repeated business decisions, prior to the September 4th shutdown, to permit the adult services section to literally evolve with
the increasingly transparent and explicit offerings (content) for sexual services.
Craig’s List hierarchy appears to have utterly dismissed, what, in my view, are well recognized best practices found in ‘reputation risk management 101’. Now, some fifteen state’s attorney generals have joined in a ‘class action’ of sorts against the Craig’s List adult services section, describing it as merely a thinly veiled web-based advertising platform for prostitution and an array of other sexual services.
Among the many puzzling aspects about this situation is, Craig’s List decision to not remove the adult services section altogether from their website, rather than opting to insert, in its place, a bar bearing the
word ‘censored’? While I pretend to have no special insight into decision making processes within Craig’s List hierarchy, the decision to use the word ‘censored’ in this instance, implies the suspension of the adult
services offerings may be more of a temporary patch, so to speak, with a more permanent ‘fix’ still under consideration.
Most reputation risk (management) experts agree that an effective starting point for conceiving – designing a company-wide reputational risk management program is to ensure it is thoroughly aligned with (a.) the company’s core business, and (b.) the perceptions and expectations of the various stakeholders. When any component is not routinely monitored and assessed, a company can expect ill-feelings to fester, and in a growing number of instances, become significantly broader and deeper than they may have initially thought had decision makers given the matter its due attention.
Interestingly, with respect to Craig’s List, it’s not as if their adult services section was their only (service) offering, even though it served as a consistent and rising producer of revenue. And, we must not overlook
the reality that if such (adult) services were not in demand, particularly in a semi-anonymous web-based format ala Craig’s List, it’s likely, from a business perspective, that Craig’s List would have discontinued that offering perhaps at the initial hint of problems to come. By doing so they could have leveraged that
decision to reap long lasting accolades from their stakeholders versus being on the receiving end of civil actions from a growing list of detractors, particuarly at the start of the mid-term political campaigns. Bad timing on their part perhaps.
Reputation risk management is about being proactive, forward looking, and forward thinking. It takes years to build a reputation, but today, a company’s reputation can literally be severely damaged, if not irrevocably
lost, in a single day! Company reputation, says Jeffrey Resnick, is as much about perception and the perception of behaviors, as it is about fact. It’s about ethics, trust, relationships, confidence, and integrity,
and interestingly, is built on the fundamental belief that management knows how to run its business and will win in the long run. Perhaps we should ask decision makers at Massey Coal, Toyota, BP, and now Craig’s List about that.
Still many company management teams and boards hold the view that reputation risks are merely temporary public relations problems which can be pre-empted, mitigated, and/or quickly remediated through targeted public relations campaigns. I find such perspectives out-of-step with the 24×7 realities of global news – talk show cycles and the global reach of the Internet and its highly connected social media platforms.
Reputation glitches, such as the one Craig’s List was in the midst, represent substantive ‘wake-up calls’ for management teams and boards to immediately, closely, and objectively examine how or whether
their company culture genuinely reflects their public behavior and meets the expectations of its customers, consumers, and clients?
It’s conceivable to assume that company reputation risk management will now be ratcheted up on Craig’s List to-do list!