Archive for 'Communicating Risk'

Cost Of Employee Misunderstanding…$37b in Intangible Assets

July 9th, 2017. Published under Communicating Risk, Intangible asset assessments/audits., Intangible asset focused company culture.. No Comments.

Michael D. Moberly July 9. 2017 ‘A business intangible asset blog where attention span really matters’!

I am reminded of a ‘buy offer’ several years ago when Steve Balmer (Microsoft) expressed interest in purchasing Yahoo! for a reported $43 billion. And, according to multiple respected estimates, perhaps as much as $38 billion of the ($43b) purchase price, had the transaction been executed at the time, would be comprised of Yahoo’s IA’s (intangible assets), primarily in various forms of intellectual, structural, and relationship capital.

The $37b figure should come as no surprise to those even minimally familiar with the irreversible trend (economic fact) that companies are far less reliant on tangible-physical assets and instead, transitioning, at a rapid pace to IA intensity and dependency. The reason lies in the unchallengeable economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for competitiveness, growth, sustainability, and profitability today lie in – evolve directly from IA’s, particularly intellectual, relationship, structural, and competitive capital.

What I am suggesting is this, should the $38b figure noted above be reasonably correct, which I believe it is, it alone should influence c-suites and management teams to review a 2008 IDC ‘white paper’ study ( ) commissioned by Cognisco which self-describes as ‘the world’s largest intelligent employee assessment specialist’. The studies’ findings provide evidence that for UK and US employers considered in the study, are losing an estimated $37 billion annually from their EBITDA, due primarily to actions or errors of omission by employees who, for various reasons misunderstand, have misinterpreted, or, were misinformed about company processes, practices, policies, or their job function.

The report, titled ‘Counting the Cost of Employee Misunderstanding’ revealed the scale of the impact, i.e., $37 billion annually, is attributable to employee misunderstanding, which the report defines as… actions taken by employees who have misunderstood or misinterpreted (or were misinformed about or lack confidence in their understanding) of company policies, business processes, job function or a combination of the three.

The study indicates many businesses are generally aware of the costs attributed to (employee) misunderstanding, but, approximately one in three self-report they had taken actions to close the ‘misunderstanding gap’. From this, it’s certainly not a stretch then for company security directors and managers to assume businesses, are quite literally inviting risk through sustained employee misunderstanding.

Particularly noteworthy in the studies’ findings is that approximately two thirds of the ($37b) cost of employee misunderstanding by the 400 reporting companies in the 12 months encompassing the study were attributed to…

• loss of business due to unplanned downtime (32%).
• poor procurement practice (17%).
• costs – settlements incurred from regulatory penalties and tax or
revenue penalties (16%).
• placing a business at risk of injuries to employees and/or the
public, and
• loss of sales and reduced customer satisfaction.

The findings also highlighted that the real cost of employee misunderstanding may be even higher, when costs such as impact on brand, reputation and customer satisfaction (also intangible assets) are accounted for.

Mary Clarke, former CEO at Cognisco, notes rather obviously, if an employee misunderstands or misinterprets actions there will be repercussions from loss of business to impaired brand image. But what is often not measured, is the employee’s confidence to take the appropriate actions which can also have a significant impact.”

Corporate Security Organizing Principle’s, It’s All About Intangibles!

May 23rd, 2017. Published under 'Safeguarding Intangible Assets', Communicating Risk, Design thinking.. No Comments.

Michael D. Moberly May 23, 2017 A business intangible asset blog where attention span really matters!

Organizing principles, objectively grounded in fact, not aside anecdotes, give legitimacy to how particularly complicated and multi-faceted phenomena are articulated and effectively addressed. Organizing principles are extensions of (symbolize) the way we, as individuals or companies, conceptualize and/or have come to hold specific assumptions (correctly, incorrectly) about a particular phenomenon, event, circumstance, or human activity.

More specifically, how corporate security directors interpret – assess their role and contributory value to preventing-mitigating risk, i.e., adverse phenomena, may incorporate anecdotal bias and therefore be, at least in part, flawed insofar as being an effective security – asset safeguard – risk mitigation practice.

For many corporate directors of security, the act-process of conceptualization encompasses…
• who, what, when, where, why, how, and presence – absence of risk
specific circumstances.
• distinguishing the dynamics of a transaction, new initiative, R&D,
etc., insofar as intangible assets in play.
• probability of, vulnerability to, and criticality produced by certain
risks, when-if (should) they materialize.

Frequently too, corporate security organizing principles…
• represent (convey – symbolize) the strength and relevancy that
security attaches to those dynamics.
• frame-comprise security’s assumptions and ultimately influence how
security directors conceptualize a companies’ – businesses’
transactions, initiatives, and processes in terms of risk
materialization, commencement, and (adverse) effect on the intangible

Ad-hoc practices, on the other hand, are opposite to the concept of ‘operating principles’. That is, ad hoc, through my lens, is aligned – associated with the time-honored practice of ‘muddling through’ which experienced practitioners recognize may occasionally work.

If – when a business leader claims ad hoc practices function satisfactorily in terms of consistently achieving desired outcomes, I believe it’s important to acknowledge that extemporized practices taken to mitigate risk, may be rooted, at least in part, in the absence or irrelevance of circumstance (company) specific ‘organizing principles’ which after all, are largely intangible, i.e., comprised of intellectual, relationship, and structural capital.

The notion of ‘muddling through’ is often associated with political (science) arena. Muddling through is often over- simplified (in a military context) as the oft cited notion which suggests ‘after the first shot is fired, all prior planning, regardless of its strategic quality, goes to hell!’

I can think of no circumstance in which ‘muddling through’ should be recognized as a viable or legitimate strategic practice.
For these reasons, I encourage company security directors to exercise caution and prudence when organizations equate – elevate ‘ad hoc’ practices to the level of boastful satisfaction, that yes, may have been the product of individual – sector specific judgements and experiences, not to be mistaken though with ‘flying by the seat of one’s pants’. (This has been substantially adapted/modified by Michael D. Moberly from the fine work of Noah Gordon, The Atlantic, August 14, 2016)

Operationally speaking, if-when company security directors’ operating principles are not practically aligned – coincide with how c-suites conceptualize risk(s) associated with particular initiatives, circumstances, and/or transactions, it’s time to seek – create opportunities to elevate their functional familiarity with the intangible assets in play for each circumstance and their respective risks.

Intangible Assets and Business Pundits

April 26th, 2017. Published under Business Transactions, Communicating Risk, Intangible asset focused company culture.. No Comments.

Michael D, Moberly April 26, 2017 ‘A business intangible asset blog where attention span really matters’.

I suspect, not unlike numerous other skill set rich professions, those who have achieved operational familiarity and experience with IA’s (intangible assets) are quick to recognize when punditry and otherwise self-described SME’s (subject matter experts) weigh in on business matters such as IA’s, that clearly exceed their knowledge base and merely offer generalizations absent experiential specifics that result in sending misleading, simplistic, or even incorrect messages.

For example, I find it frustrating, and certainly a disservice when a pundit speciously characterizes an under-performing business, or transaction as being the consequence of a single misstep, miscue, or oversight by business leadership and/or management team. In part, that’s because my work has occasionally been construed as ‘michael claytonish’ ala ‘an intangible asset fixer’ (from the film titled ‘Michael Clayton’ played by George Clooney).

When clients describe the various services that I perform on their behalf (in the context of intangible asset strategist, risk specialist, and trainer), as ‘fixing their intangible asset circumstances’, that seems fitting.

On the other hand, not infrequently, when a business undertakes – executes what may appear to a pundit at the time, to be a particularly challenging, perhaps even overly risky business venture-transaction which is then reviewed by a competent and objective IA strategist and risk specialist, it will be revealed that a key – underlying reason for any subsequent under-performance or transaction withdraw, or failure is variously attributable to operational – circumstantial unfamiliarity with, how, when, why, where, and which IA’s were in play but, not acted on effectively, lucratively, or competitively, or worse, insufficiently safeguarded, monitored, or mitigated risks.

In short, the planning and execution of an under-performing transaction, its failure, or, one or both parties electing to ‘walk away’ is more often variously attributed to unfamiliarity, operationally speaking, with the intangible assets in play and most relevant to the projected outcome.

To be sure, IA unfamiliarity, which frequently translates as the omission of IA’s from transaction planning, execution, and due diligence, leaves their contributory role and value and anticipated sources of revenue and competitiveness (irreversibly) out of a business transaction’s ‘go, no go’ equation, and ‘off the transaction negotiating table’.

By doing this, the dominant drivers and ‘underwriters’ to most every business transaction, i.e., the IA’s which are inevitably in play, become vulnerable to various types-levels of risk, e.g., competitive advantage under-mining, rapid erosion of (asset) value, and/or asset compromise. Any one, or multiples of such risks, can negate or substantially minimize any projected-desired outcomes to a transaction, irrespective of sector or stage of execution.

Through my lens of experience, many challenges associated with resolving business process problems and/or poorly planned-executed transactions that originate in unfamiliarity with or not recognizing IA’s in play are redeemable. Through numerous engagements, I have concluded many such challenges are variously due to IA’s being ‘non-physical’ and therefore, outside conventional-human senses, i.e., see, hear, touch, smell, etc. Consequently, this (asset) ‘intangibility’ combined with the reality, IA’s are seldom, if ever reported on conventional financial statements or balance sheets, somewhat understandably, influences business leadership and management teams to exhibit hesitancy and reluctance to consider IA’s as relevant players and/or contributors to company value, competitiveness, revenue, or sustainability.

This author’s forthcoming book respectfully mitigates most, if not all such reluctance and hesitancy by ensuring thorough, relevant, and practical explanations and rationales are in place to address the various contexts – circumstances in which IA’s are in play through their contributory role and value.

It is true, a percentage of business leadership, remain variously dismissive and under-appreciative of IA’s, i.e., what they are, and how to utilize (exploit) them effectively lucratively, and competitively, in other words, their contributory role, value, and competitive advantages they can, and often do produce. Not so coincidentally then, when IA’s are treated dismissively or wholly neglected, their contributory value will be significantly weakened, conceded to competitors, or relegated to the non-denominational and virtually unusable ‘catch-all’ of goodwill.

Either way, I find there is no single mechanism to overcome these real and detrimental shortcomings, aside from seeking – achieving operational level familiarity with IA’s for which one has control, use, ownership, and (certain fiduciary) responsibility to safeguard, exploit, monetize.

Consistently however, practitioners that possess operational familiarity with their various IA’s in play to a transaction or initiative, i.e., as direct components – contributors to projected value, revenue, competitive advantages, and marketing and branding outcomes, also recognize – have operational insights about how IA’s have direct bearing on company value and revenue, which extends well beyond merely what’s posted on conventional financial statements and balance sheets.

The position conveyed here, and throughout my forthcoming book, is that exclusive reliance on conventional financial statements and balance sheets as strategic oracles for business operation and transaction planning, but, absent factoring essential IA-related data, will likely lead to arbitrary, subjective, and unsystematic tracts for execution. However, with the rapid expansion of effective, competitive, and lucrative business operability, i.e., IA intensity and dependency, provides credence and rationale due for business leadership and management teams to recognize IA’s contributory role and value, which this book and this author consistently argue, are warranted.

Sewing Intangibles of Fear, Uncertainty, and Doubt

August 8th, 2016. Published under Communicating Risk, Intangible asset strategy. No Comments.

Michael D. Moberly August 8, 2016 ‘A blog intersecting intangible assets and business’!

As noted in previous posts, fear, uncertainty, and doubt (FUD) are intangible assets (or liabilities) depending on who the recipient(s) may be, the content-context of what’s being conveyed, the motive – intent of the individual, movement, or organization conveying FUD, and how may influence and/or manifest as actions – reactions from/by those being targeted and receptive to the message.

It’s important to recognize, when an individual(s) achieves or assumes some type of leadership – spokesperson role that includes having a platform to exploit – intensify (current, future) fears, uncertainties, and doubts beyond the realities can influence – motivate the receptive to supportively band together.

A seemingly frequent outcome of purveyors of FUD is the listeners (observers, recipients, targets) to such pronouncements will acquire a sense of connection to those proselytizing. And, at some point will become regressively disillusioned to the point of wholly disregarding-dismissing alternative facts, reason, context, and reality in favor of the broad, over dramatized generalizations and half-truths being espoused.

One can routinely observe FUD principles or carefully contrived variations exploitatively woven into media advertisements as underliers to introducing and selling a large percentage of (new) products and services in ways that appeal to – accommodate – address broad numbers of prospective buyer’s – client’s circumstances, needs, aspirations, or frustrations with the status quo. Numerous researchers attribute such receptivity to the notion that fear, uncertainty, and doubt are grammatically and visually easy to convey.

Too, in many contexts, well scripted presentations (advertisements) that incorporate timely, relevant, and specific elements of FUD can influence receptive parties to assume there are relatively quick and simple (single) fixes. In other words, if x is purchased and deployed (generalization) one’s problems and/or frustrations, at least how they are perceived, will be substantially reduced, if not go away altogether. Of course, that seldom happens in full.

Lethal Autonomous Weapons Systems’ Intangibles

May 5th, 2016. Published under Communicating Risk, cyber warfare.. No Comments.

Michael D. Moberly April 5, 2016 ‘A blog where attention span really matters’!

Lethal autonomous weapons systems (LAWS) represent, in my judgment, an inevitable, but, as yet, incomplete class of weapons embedded with capabilities to independently select and engage targets (adversaries) without human (operator) assessment and/or interventional oversight.

LAWS are unlike existing (conventional) pilotless drone ‘aircraft’ in the sense they are – will be largely, if not wholly, autonomous. In other words, as I have come to understand LAWS, once deployed in various manifestations, they can surveil, assess, and execute in a wholly independent manner presumably with internal assessment and decisional guidance wrapped in AI (artificial intelligence) software.

The development and introduction of remotely piloted – controlled drones for operation in theaters of combat. counter-insurgency and counter-terrorism and for surveillance and intelligence gathering serve as real time hedges favoring expansion of risk adverse strategies, particularly, human life. Obviously, drones deployed in war fighting circumstances can deliver devastating munitions to specified adversaries – targets with the aid of satellite and global positioning systems, but only at the direction of their human operators and overseers, thus mitigating risk to requisite for ‘boots on the ground’.

Presumably LAWS, on the other hand, will be designed – programmed with capabilities to identify, assess, and self-authorize target engagement, i.e., seek, find, distinguish, select, and engage targets absent human intervention or oversight ala simultaneous introduction of infinite numbers of ‘jason bournes’ to a conflict theater. LAWS could presumably function (also) as ‘defensive’ weapons, i.e., as a theater interceptor – destroyer of an adversaries’ incoming munitions to supplant human reaction times.

Aside from the autonomy and independence of such weapons systems, their development and use is presumably intended to mitigate – favorably affect human’s – societies’ intangible senses – perceptions of risk, fear, and safety, while simultaneously serving as formidable strategic deterrents each being an intangible. To be sure, adversaries and allies alike are aggressively pursuing comparable-competing LAW war fighting capabilities, the theater functionality of which may be more-less effective, at which time the aforementioned intangible (asset) senses will likely change accordingly.

This post was inspired by the writings of Heather M. Roff, particularly an article published in Slate Magazine (online) dated April 7, 2016, titled ‘Killer Robots on the Battlefield: The Danger of Using a War of Attrition Strategy with Autonomous Weapons’ in advance of her testimony at the U.N.’s, April 11, 2016 ‘Convention on Certain Conventional Weapons’ in Geneva.

Vietnam War and Combat Intangible Frustrations

March 4th, 2016. Published under Communicating Risk. No Comments.

Michael D. Moberly March 4, 2016 ‘A blog where attention span really matters’!

“Those who fail to learn from history are doomed to repeat it”, a quote widely attributed to Sir Winston Churchill, variously confirms a range of frustrations shared by many Vietnam War combat veterans with respect to how the wars in Iraq and Afghanistan were prosecuted.

In the U.S., we have come to assume any war, particularly those post-WWII, breed proponents and opponents with the differences frequently arising from nuanced social, political, moral, and even national security arguments, that eventually, but inevitably, morph as untoward revelations about a war’s underlying rationale and prosecution, which, in turn, give rise to doubts, questions, frustrations, and public weariness, e.g.,

• what are the ‘knowns and unknowns’, i.e., foreseen and unforeseen tradeoffs and consequences?

• is the war being prosecuted as effectively (tactically, strategically) as it should and with sufficient translucency?

• what means exist for regularly measuring the war’s status, i.e., are specific political-moral-military-national security objectives being met?

To be sure, frustrations…evolve, repeatedly evidenced when tactical, strategic, and/or policy misjudgments and misdiagnoses occur, all-to-often marked by an absence of ‘lessons learned’ from numerous prior comparables, i.e., the Vietnam War vis-à-vis the Afghanistan and Iraq wars.

It is with confidence, had any military war planner – tactician asked any Vietnam War (ground) combat veteran, prior to deploying large numbers of U.S. troops to Afghanistan and Iraq, to describe risks-threats for which it would be prudent to train and prepare combat troops for in advance, their responses would likely evolve around…

• there will be more sophisticated versions of booby-traps’ of all types the former a term/phrase ludicrously modified to IED’s (improvised explosive devices) and ‘suicide bombers’.

• any prospect of ‘winning hearts and minds’ of independently indigenous (religious) sects-cultures marked by thousand year histories of conflict, will be a long, risky, costly, and very likely produce a disappointing outcome.

• the wars’ in general, and fighting specifically, (in Iraq, Afghanistan) will occur with 360-degree asymmetry, and 24/7 spontaneity.

• recognition that the primary, perhaps the primary difference insofar as combat in Iraq and Afghanistan to Vietnam, is terrain!

• training indigenous personnel for ‘standalone’ defense of their region – country will be challenging, time consuming, costly, and probably never produce a fully desirable outcome, lackluster performance of indigenous military will collectively translate to a political and social unsustainable willingness to continue indefinitely.

• mitigating – countering the influx and actions of religious indoctrinated – self-described insurgents will be challenging and achieve only sporadic territorial gains which can be quickly undermined – lost when troops are withdrawn.

It seems apropos then, to revisit the aforementioned quote attributed to Mr. Churchill, i.e., “those who fail to learn from history are doomed to repeat it”. It’s quite possible the U.S. military co-opted Mr. Churchill’s quote was co-opted and re-phrased to ameliorate the persistence of more recent tragedies as ‘lessons learned’. For example, the April, 1996 plane (Boeing 737) crash in Croatia that killed then Secretary of Commerce Ron Brown and 34 other American aides and business persons accompanying the Secretary on a trade mission. Following this incident, the U.S. Air Force primarily, compiled a 7,700-page document titled ‘lessons learned’.

One of the most significant takeaways from that document, in my judgment, was the fact that numerous civilian and military pilots had personal and recent knowledge of the risks and challenges associated with negotiating the runway – a landing at the same Croatian airport. Such reports, conveyed over a period of time prior to the crash of Secretary Brown’s plane, were probably at echelons well below what would be required to produce change. As the report admits, most, if not all of the relevant concerns went un-asked, until that is, the Secretary’s plane crashed, upon which it became ‘time to ask’.

Mr. Moberly is an intangible asset strategist and risk specialist and author of ‘Safeguarding Intangible Assets’ published by Elsevier in 2014, View Mr. Moberly’s videos on YouTube at ‘Safeguarding Intangible Assets’.

Reporting Intangible Assets

January 21st, 2016. Published under Board oversight, Communicating Risk, Fiduciary Responsibility. No Comments.

Michael D. Moberly   January 21, 2016 ‘A business blog where attention span really matters’!

When-where ever there is institutionalized indifference about the treatment of IA’s (intangible assets) at the hands of organization-company boards, management teams, legal, security, marketing, and accounting, etc., there will be a comparable stifling of curiosity for pursuing the actual contributory role and value of IA’s apart from the growing fiduciary responsibility to engage IA’s beyond the singular catchall of goodwill as described in Stone v. Ritter, 911 A.2d 362 (Del. Supr. 2006).

Yes, it remains quite true, IA’s are seldom, if ever, reported on company balance sheets or financial statements, a reality which I suspect will change in the not too distant future. In large part, the change away from (IA) indifference and dismissiveness to acknowledgment and engagement will be influenced (also) by necessity, e.g.,…

  • to provide more complete portraits of organization value, competitiveness, sustainability, and performance.
  • otherwise, organizations will be left unnecessarily holding far too many unknowns, uncertainties, and risks.

Not being trained in organizational psychology per se, it would be a reach to state with absolute certainty why, how, or the depth of (organization) ‘IA deniers’. As an intangible asset strategist and risk specialist, experience rather clearly suggests however, that the rigid inflexibility I encounter with ‘IA deniers’ will be challenged as IA intensive – dependent organizations become the norm, coupled with the managerial requisite for…

  • making consistently effective decisions whenever, wherever, and however IA’s are in play which compliments organizations interest in attracting go fast, go hard, go global management teams.

Mr. Moberly is an intangible asset strategist and risk specialist and author of ‘Safeguarding Intangible Assets’ published by Elsevier in 2014, View Mr. Moberly’s videos on YouTube at ‘safeguarding intangible assets’ or his CNN and CNBC videos at his webpage

Intangible Asset Risk Assessments: Qualitative vs. Quantitative

February 27th, 2014. Published under Communicating Risk, Due Diligence and Risk Assessments, Enterprise risk management.. No Comments.

 Michael D. Moberly    February 27, 2014   ‘A blog where attention span really matters’.

As most readers of this blog recognize, generally through their personal – professional experiences, assessment and management of (company) risk has indeed become increasingly more complex and multi-faceted, particularly as we endeavor to guide our company’s and/or clients through the respective operational, audit, compliance, and budgeting obstacle course.

Throughout this so-called obstacle course, it is likely we will become inclined, at some point, to justify most, if not all of the factors used to assign a reasonably correct ‘risk rating’ to the various business units within our company or that of our clients.

But, and probably rightfully so, more company decision makers are requiring quantitative (data) driven findings to support a particular risk rating. So, no longer can security – risk management practitioners find comfort by focusing their attention almost exclusively the rather archaic latest zero-day risk materialization or exploitation events. To be sure, that landscape has changed so significantly that we must assume greater responsibilities.

So, in the security, asset protection, and risk-threat assessment and management arena, presenting a risk-threat rating that is simply or solely based on numbers may not result in the best (risk, threat) analysis that we are seeking. Thus, one path that gets us closer to arriving at a more accurate understanding of the actual risk-threat level necessary for business strategic planning and decision making, it’s necessary to introduce and factor multiple elements in the risk-threat analysis equation.

Thus, as we more routinely adopt a more inclusive and/or multi-dimensional view toward assessing risks and threats, additional complexity will likely be one outcome, e.g., quantitative and qualitative forms of measurement.

Quantitative risk-threat assessment…
Quantitative risk assessment surfaces as we develop the ability to assign a (specific) dollar amount/value to a specific risk or threat should it materialize. As an example, let’s apply quantitative risk assessment to a healthcare institution.

For simplicity, there are 1,000 confidential patient records and data that reside in a single database. This particular database is directly accessible by a web server which resides in a semi-trusted environment.  That of course, constitutes a vulnerability (risk) in itself, and any compromise of the method in which the web server communicates with the database would likely result in the exposure (comprise) of all 1,000 patient records holding confidential data as conveyed by HIPPA (Health Insurance Protection and Portability Act).

Too, for discussion sake, and to add further complexity, during a recent ‘business impact analysis’ or BIA, it was found that the replacement cost for each compromised patient record would be $30. This cost includes (a.) contacting each patient to inform them of the compromise, (b.) changing each patients account numbers, and (c.) printing new health cards.

From this, one can easily determine that the maximum quantitative loss associated with a full compromise of that system is conservatively estimated at $30,000, excluding of course, the inevitable litigation. No doubt, as readers already surmise, there is more to consider. But does quantitative risk always have to ‘map out’ the money (loss or cost) aspects associated with materialized risks-threats?, probably not, because in many instances controls are automated with internally consistent and repeatable numbers being generated that can be used to create an alert dashboard or report directed to business unit managers when breaches or other adverse events occur.

Qualitative risk-threat assessment

Qualitative risk-threat assessment, on the other hand takes a different form. To demonstrate qualitative risk-threat assessment it is important to introduce additional factors, i.e., threat-risk vectors into the above example.

The first is, we learn that the patient database that previously held 1,000 records will now hold 10,000 records, possibly rising to 500,000 patient records. We also learn that (a.) multiple groups and/or business units within the healthcare institution will have access, and (b.) the capability to modify patient records, and (c.) the database/system will now come under the control of a different unit, i.e., the company’s Operations Group.

Obviously, substantive changes like this elevate – bring additional complexity to the risk-threat assessment we are endeavoring to calculate.  Too add yet another layer of complexity to our risk-threat analysis, we are informed by the audit unit that the data in the database is (d.) neither encrypted in transit to the web server or at rest on the database. The coup de grace follows with the audit unit giving exactly ninety days to document and remediate these adverse set of circumstances, i.e., risks, threats, vulnerabilities, because, as it stands, this healthcare institutions IT system is not in compliance with HIPAA.  Collectively, the additional factors serve to expand the risk-threat equation.

Now that these vulnerabilities (risks, threats) are known to exist relative to the institutions’ IT system, the next steps involve determining (a.) linking costs to any actual compromise, i.e., the materialization of a risk-threat or vulnerability being exploited, and also (b.) the probability that a specific or possible multiple vulnerabilities that have been identified will be discovered and adversely exploited by bad actors, or (c.) a single vulnerability materializing and cascading throughout the IT system.

Assessment process…

The assessment process commences by examining the cost(s) associated with potential compromises, as (a.) single acts, (b.) as multiple acts occurring simultaneously, and (c.) the potential for adverse cascading effects throughout the institution, well beyond perhaps the IT system itself.

Because we now know there may be in excess of 500,000 confidential patient records stored on the database, it’s often prudent to consider – factor absolute worst-case scenarios, i.e.,

500,000 records X $30 remediation cost per record = $15 million.

In most any company’s perspective, the possibility of $15 million dollars being ‘at risk’ is significant. One problem associated with relying solely on this formula is that it is largely one-dimensional. In other words, just because a banks has $100 million in cash in its vault does not translate that the money could be easily stolen from the vault.

So, being prudent security – risk management professionals, we must have other way in which to assign a particular level of risk to a particular vulnerability that fully considers multiple (known) risk factors, not just one, or absent the possibility multiple risks could materialize in some manner of sequence and cascade.  Such added (risk-threat-vulnerability) complexities should prompt practitioners to re-visit qualitative risk ratings.

One reason is because many companies, organizations, and institutions learn there is a necessity to have multiple, perhaps three to five qualitative risk levels which may be addressed in relatively simple, but in my view, ambiguous terms like low, medium and high.

Sources for quantitative and qualitative data…

Based on my own experiences, I, and many other security – risk management professionals information and insight related to quantifying probabilities for risk-threat materialization is acquired from such sources (a.) penetration tests, and (b.) vulnerability scanners.

Generally, these sources produce good and relevant information, but it’s important to acknowledge that it may be from delivering the necessary complete risk-threat-vulnerability picture because either can, and frequently does change rapidly and routinely. Consequently, in addition to conventional risk-threat-vulnerability assessments, each must be routinely monitored for the inevitable changes. A critical part of which is internal, that is information about the activities of legitimate and authorized users of the IT systems, i.e., such things as where do they go, what do they do, what do they click on, etc.

Welcome inspiration for this post is gratefully attributed to Stephen Sims of the Sans Institute  Other Related Articles in Audit and Governance


Reputation Risk…The Most Difficult Risk For Companies To Manage! Part II

February 5th, 2014. Published under Communicating Risk, Reputation risk.. No Comments.

Michael D. Moberly    February 5, 2014   ‘A blog where attention span really matters’!

The ACE Groups’ 2013 Survey of Reputation Risk…

For readers who may be unfamiliar with The ACE Group, it purports to be one of the world’s largest multiline property and casualty insurers for a diverse clientele with operations in 54 countries. In reviewing its 2013 report (survey) ‘Reputation at Risk’ authored by Andrew Kendrick, President, ACE’s European Group, there are some revealing findings that broadens current thinking regarding reputation risk. So much so that business decision makers globally would be well served at minimum, to read this entry, but also read ACE’s entire report.

Admittedly, I am a little unsure just how surprised I should be about ACE’s survey findings that merely one in five companies reported they are very effective at measuring external perceptions about their company.  My absence of surprise emanates from the reality that I have yet to meet a marketing practitioner or buyer, for that matter, in any business sector, who does not purport to possess a fairly high level of insight into their consumer base, i.e., likes, dislikes, preferences, etc., but actually (objectively) measuring and translating those insights into clarity about external perceptions, seems to fall somewhat short.  Obviously, marketing practitioners and buyers are likely to have little, if any, operational familiarity with company reputation risk or its management.

Need for measuring external perceptions…

For most of us working in this arena, we stipulate that measurement of external perceptions, i.e., reputation, can be challenging to get it right. Perhaps most of all, ‘getting it right’ is certainly not impossible, but it does require…

  • an enterprise wide commitment, and
  • not being considered sufficient if it merely a ‘snapshot-in-time’ description.

Companies today are obliged to engage in more frequent dialogue with external stakeholders to genuinely understand and assess their views and then…

  • regularly monitor and (re-)evaluate their external environment as methodically as possible to identify reputational risks and/or threats that may be emerging – are on the horizon, and
  • assess, if they materialize, the various ways they may adversely affect – jeopardize external relationships.

Some companies assume operational risks and reputation risks are synonymous…

While anecdotally, there is increasing evidence that some companies are treating reputational risk with the importance it deserves, a large percentage of companies are doing little, if anything of substance in this arena.  Regarding the latter, the reasons are varied but generally originate from two rationales, i.e., reputation risk management…

  • appears as being somewhat of a frontier concept which company decision makers are reluctant – reticent to develop the necessary safeguards, and also
  • some companies have not developed or integrated relevant process – practices to effectively address ‘their’ reputation risk challenges, thus, it is seldom an action – discussion items in c-suites, in boardrooms, or among management teams to move it forward, and still
  • some companies appear determined to argue that no special measures are necessary to safeguard or manage a company’s reputation, because, they assume, reputational risks are merely the outcome or product of materialized operational risks, and since operational risk is already being managed, they must have reputational risk covered as well.

Neither stance is persuasive, and certainly neither is defensible from the point of view of directors’ fiduciary duties to shareholders to protect (and grow) the assets of the company (not to mention other duties increasingly being introduced to take account of other stakeholders’ agendas). Inaction by directors could eventually land them in hot water in terms of personal liability, but we should not see the reputational risk agenda as one simply of threat and downside. There are many positive reasons for taking steps to master this difficult challenge.

Increased prevalence of reputation risk…

Few could argue successfully in my view that increases in the prevalence of materialized reputational risks…

  • is variously linked to an elevated intensity of public scrutiny of company behavior and expectations, along with the rising importance of corporate sustainability,
  • which have placed more emphasis on companies to demonstrate strong (business, operational) ethics and thus, changed stakeholder expectations in terms of how companies should be behaving.

But neither can companies afford to ignore the demands of those who are not shareholders, if a company is publicly held, instead, they must balance the needs of a broad range of stakeholders, including the public, their employees and the communities in which they operate.  By doing so, creates a surer path to effectively safeguarding a company’s reputation. More specifically, as Warren Buffett is reported to have said, ‘we must continue to measure every act against not only what is legal, but also, what we would be happy to have written about it on the front page of a national newspaper.’

Underestimating reputation risk challenges…

Of course, I agree with ACE’S findings that (many) companies, and their management teams, underestimate the challenges associated with reputation risks, and their management.

Interestingly though, almost four in ten respondents to the ACE survey also report their companies have confidence in their ability to address and recover from a ‘crisis’ ala crisis management with 32% believing they are very effective at restoring reputation following the materialization of a risk event. Admittedly, I am skeptical about merging or assuming crisis management and reputation risk management are necessarily synonymous.

Most company management teams recognize however, that the time that companies now have to respond, be it a reputation risk that has materialized or some other form of crisis event, their potentially adverse impact should no longer be factored in weeks and months, instead, in hours and minutes, thanks in large part to the globally instantaneous functionality of expanding numbers of social media platforms. One outcome of this particular reputation risk phenomena is that fewer companies have the luxury of a second chance!

Quite understandably then, further findings of ACE’s survey suggest that companies actually be underestimating the speed which reputation risks can materialize and cascade, in other words, the various and multiple challenges associated with a crisis in what appears to be a ‘faster than real time’ context.

A reputation risk insurance perspective…

On the other hand, from an insurance perspective, two-thirds of ACE’s survey respondents feel inadequately covered for reputational risk. So, one can presume the respondents distinguished ‘crisis management’ from ‘reputation risk management’.

Broadly, survey findings indicate the insurance side has a potentially valuable role insofar as helping companies manage the more traditional – conventional types of risks more effectively initially, which can mitigate/reduce damages incurred by reputational risks by applying a ‘reputational risk lens’ which allows parties to more clearly recognize any (potentially adverse) external perspectives which are integral to a company’s reputation.

There is a lot at stake for companies…

‘Caught in the headlights’ may be an appropriate descriptor for a substantial number of companies, insofar as recognizing the speed and adverse realities of being the target of materialized reputational risks.  Many, if not most of my reputation risk management colleagues agree that balancing speed of recognition coupled with agility in terms of having multiple response options at the ready.

There is no question that reputation is now critical, more than ever, to the long-term financial and competitive advantage health of any company.

Materialized reputation risks can produce severe financial consequences…

It should be quite obvious by now that a materialized reputational risk can have severe, long terms, and in a percentage of instances, irreversible financial consequences on a company, e.g.,

  • adverse media attention, such as a product recall or major accident, can rapidly cascade and lead to lost sales, which affects a company’s liquidity.
  • investors and banks may become uneasy and withdraw or limit a company’s access to capital which places additional strains on balance sheets, and with
  • current and future revenue streams being more dependent on a company’s reputation, which is also a source of competitive advantage, it can become even more challenging to rebuild brands and restore stakeholder confidence.

Examples of company reputation quickly evaporating…

Arthur Andersen Company is a good example.  Its demise in 2002, most agree, is attributed to irreparable reputational damage following terrible publicity the company received related to the Enron scandal. More recently, BP incurred significant reputation damage relative to its association with the Deepwater Horizon explosion in the Gulf of Mexico in 2010.

Of course, there are countless other examples, but, the corollary of this is that that companies with strong reputations should become beneficiaries to others’ (competitors in some instances) in terms of elevating share price performance, and stakeholder – customer trust.  Some suggest that a positive and resilient reputation helps companies to deal more effectively with future crisis – reputation risk events, should they occur, because it creates a reserve of goodwill referred to many time here as ‘reputation capital or equity’ that can help the business to better endure and survive future adverse (reputation risk) events.

Effective reputational risk management is not just about responding well to so-called crisis events. In addition, it is about safeguarding, building, and routinely monitoring reputation.

(A special thanks to Andrew Kendrick, President, ACE European Group, 2013 ‘Reputation at Risk’ Report for inspiring this post.)

Reputation Risk…The Most Difficult Risk For Companies To Manage! Part I

February 4th, 2014. Published under Communicating Risk, Reputation risk.. No Comments.

Michael D. Moberly    February 4, 2014   ‘A blog where attention span really matters’!

The ACE Groups’ 2013 Survey of Reputation Risk…

For readers who may be unfamiliar with The ACE Group, it purports to be one of the world’s largest multiline property and casualty insurers for a diverse clientele with operations in 54 countries. In reviewing its 2013 report (survey) ‘Reputation at Risk’ authored by Andrew Kendrick, President, ACE’s European Group, there are some revealing findings that broadens current thinking regarding reputation risk. So much so that business decision makers globally would be well served at minimum, to read this entry, but also read ACE’s entire report.

As readers know, there is nothing particularly new about companies experiencing risks to their reputation.  Too, as readers recognize, seldom, if ever, have company reputation risk(s) been as pervasive and ‘rapid acting’ as they are today.  All one needs to do is execute a quick scan of business publications wherein there is no shortage of articles which draw attention to the extent of ‘reputation risk’ challenges. For example, financial institutions and internet retailers have faced scrutiny and censure for data breaches, supermarkets and food suppliers have faced their own challenges over food production sourcing and contamination; and clothing/apparel retailers have been brought to task regarding poor conditions at outsourced manufacturing sites.

There’s certainly no argument here that a company’s reputation has become, for a variety of reasons, absolutely critical to its strategic financial and competitive advantage health.  That translates as most any company, whether it’s a university-based spinoff, early stage startup, small-medium enterprise, small-medium multinational, and one of the proverbial Fortune ranked corporations.

Reputational risk is different to other risks. It is difficult to define, measure and therefore manage – a task made more complicated by uncertainty over who ‘owns’ the issue inside companies.

Getting their heads around the most difficult risk category…

Four out of five executives surveyed for ACE’s report stated they regard their company’s reputation as its most significant asset. Nothing particularly new here!  But, and, it’s a very big but, despite evidence there is a growing understanding and appreciation for materialized reputation risks and their adverse impact on companies, one of the major challenges survey respondents revealed is quite straightforward, that is, “getting  their head around” the asymmetric and otherwise intangible nature of reputation risk.  More specifically, nine in ten of the survey’s respondents reported that company reputation risk is ‘the most difficult risk category to manage’!

Reputational risk is different to other risks. It is difficult to define, measure and therefore manage – a task made more complicated by uncertainty over who ‘owns’ the issue inside companies.

Also revealed from ACE’s report are respondents’ citing what they believe are factors that contribute to today’s growing corporate reputational risk environment.  ACE’s survey respondents expressed particular concern about the following trends that are influencing and elevating reputation risk levels, i.e.,

  • expanding global footprints and increasingly complex and risk laden supply chains.
  • increasingly dynamic and challenging regulatory environments from which compliance is now considered to be a core competence in many industries with failure to manage regulatory change effectively will inevitably lead to serious reputational damage.
  • rapid company expansion into new markets and the challenges associated with maintaining consistent (ethical, business, product) practices and standards in a boundaryless transaction environment.

Areas that business executives worry about most…

The survey’s respondents reported that…

  • damage to customer relationships, and the
  • adverse financial impact of materialized reputational risk, i.e., loss of earnings, impact on share price, and competitive advantage.
  • the speed at which reputation risks can materialize and cascade throughout a company and its supply – value chain.
  • the reality that reputation risks can emerge from anywhere, at any time, and from any place within a company or along its stakeholder and/or supply chain which makes reputation risks more difficult to predict.

Areas which companies judge themselves to be the weakest regarding reputational risk…

Interestingly, and quite revealing, is the fact that respondents to ACE’s survey cited particular areas where companies judge themselves to be weakest at reputational risk management…

  • measuring external perceptions of the company.
  • quantifying the financial impact of reputational risk, and because reputation risk impact is more difficult to quantify, it frequently makes it less well understood compared to conventional – tangible risks and threats.
  • restoring company reputation after reputational risk incidents have materialized.
  • absence of effective counsel about how to manage reputational risk which elevates sense of uncertainty and confusion about how best to manage reputation risk.

                 fewer than one-third of companies believe they are well prepared to address the above.

There are no singularly magic solutions, nor silver bullets to manage reputation risk…

While, the ACE survey suggested ‘insurance is not necessarily the panacea for the rapidly evolving and escalating challenges associated with company reputational risk, there are some things that insurers can do to collectively benefit their clients and mitigate, if not prevent, materialization of reputation risks.  Some effective measures – steps that business decision makers and management teams should not merely consider, but actually execute, include…

  • do more to evaluate and systematically track the perceptions of primary (external) stakeholders, i.e., customers, media, adverse lobbying groups, and governmental regulators.
  • help these entities acquire true perspectives and insights into challenging trends and problems companies face.

Respectfully, ACE’s global experience conveys that better (company, client) preparation and routine testing of response plans, i.e., business contingency, continuity, and resilience planning lays important foundations for a faster, more effective, and genuine response when reputation risks materialize including reputation restoration in the current instantaneously global social media environment. Again, ACE’s research does not convey there are any easy solutions, particularly when it comes to quantifying the financial impact of materialized reputational risks.

However, as noted here numerous times, as more management teams and business leaders attach a ‘reputational risk lens’ to the myriad of risks being routinely encountered, companies can be better positioned to evaluate any reputational consequences relative to (a.) action, or (b.) inaction.  And that, as readers know, are truly significant advances.  In other words, companies must get better at measuring and managing external perceptions. But, that said, ACE’s survey shows that only a quarter of companies are confident about how they evaluate the strength of stakeholder relationships which we know form a very critical foundational component to reputational risk management.

(A special thanks to Andrew Kendrick, President, ACE European Group, 2013 ‘Reputation at Risk’ Report for inspiring this post.)