Archive for 'Enterprise risk management.'

Safeguarding Intangible Assets, The Eight Rules of Engagement

July 10th, 2017. Published under Enterprise risk management., Intangible asset protection. No Comments.

Michael D. Moberly July 10, 2017 A business intangible asset blog where attention span really matters!

Thinking differently about why and how companies should safeguard their intangible assets…

1. First-of-all the rules of engagement have changed! The predatorial and legacy free global business intelligence and ‘open source’ data mining operations are often overlooked in IA safeguard – risk mitigation equations. To effectively safeguard proprietary IA’s, i.e., those contributing to company value, competitive advantage, and generating revenue, practices-procedures must reflect these global phenomena relative to their technological sophistication, predatorial elements, and winner-take-all outlook, while exercising caution about which, what, how, and when particular-IA’s enter the public domain.

2. Business’ initiatives, innovation, and transactions undertaken, and their outcomes, are no longer influenced solely by the development of physical-tangible assets, rather by the development, flow, and use of IA’s. Company – business value has literally shifted from collections of physical (tangible) assets to collections of ‘know how’ (IA’s) which are unique commodities for which sustaining control, use, ownership, and consistently monitoring value and mitigating risk are integral to business’ near-long term success, profitability, and sustainability.

3. It’s important to build an intangible asset safeguard – risk mitigation ‘culture’ to fit each business mission rather than try to frame that mission to reflect the safeguard measures may already be in place! An often, misunderstood aspect of the dominance of IA’s to business operability is that computer/IT security equates with IA safeguards and risk mitigation. Computer/IT security is better recognized as complimenting a comprehensive program for safeguarding IA’s in whatever format they exist, and for the duration of their value, competitive advantage, and materiality cycles’.

4. Safeguarding a company’s IA are most effective when practiced proactively and reflect the nanosecond development, flow, and accessibility to knowledge, know-how, and transaction strategy in which IA’s are inevitably in play. Safeguard practices should always be on the front end, to sustain control, use, ownership, and monitor asset value and materiality.

5. Think differently about past practices and conventions! Law associated with intellectual property enforcement, e.g., patents, trademarks, copyrights, trade secrets, etc., are largely reactive, not proactive, and typically apply after, and if, infringement, misappropriation, counterfeiting has occurred and come to the attention of the rightful owner (holder). So, holders of intangible assets and IP are dependent on their ability to be alert to…
• global risks to their business assets.
• recognizing their risk tolerance – threshold for economic –
competitive advantage hemorrhaging.
• their willingness and resources to aggressively pursue wrong doers.

6. Intangible asset safeguards must be flexible and maneuverable! Many information asset safeguard regimes-systems are static and/or one dimensional, e.g., remain constant throughout the life – value – competitive advantage cycle of the safeguarded assets and do not recognize or accommodate fluctuations in the assets contributory role, value, or materiality. Business intangible asset safeguards should be forward looking and possess the capability to monitor and make rapid adjustments to changes in an assets’ value, mission relevance, risk, and vulnerability.

7. Avoid ‘pushing the future off the table’! A forward-looking offense is the best defense for safeguarding businesses intangible assets. Each day companies are presented with urgent, near term challenges that create pressures to push the future off the table. One consequence of which is that disproportionate emphasis may be given to the constant chorus of sources which offer largely speculative, anecdotal, and worst-case scenario snap shots about particular risks and threats. While the potentially devastating consequences of these pronouncements should not be dismissed, neither should they serve as the sole or necessarily dominant rationale for the design and execution of IA safeguards.

8. Safeguarding businesses IA’s should also be about forging relationships with the assets’ originators, developers, users, and owners because, this is where and how to sustain control, use, ownership and value of business intangible assets.

Intangible Asset Risk Mitigation vs. Risk Management

June 30th, 2017. Published under Enterprise risk management., Intangible asset risk tolerances and thresholds.. 2 Comments.

Michael D. Moberly June 30, 2017 ‘A business intangible asset blog where attention span really matters’.

In my judgment, a not insignificant percentage of the business community and service providers, have become piously complacent insofar as assuming the terms risk management and risk mitigation are interchangeable. Through my lens, there are important distinctions with differences!

The terms risk management and/or managing risk, in my view, suggest these are actions taken to manage adverse events – circumstances which likely have already materialized., i.e., sort of managing risk ex post facto. Whereas, risk mitigation, assumes effective action will be taken to abate and minimize the probability that adverse effects of particular-risks known to emerge – coincide with specific actions and/or transactions in which IA’s will be – are in play.

I am suggesting there is a bright line that distinguishes managing adverse events-actions-behaviors which have already occurred vs. having specific policies, processes, and procedures in place to mitigate events-actions-behaviors before and/or at the earliest stage of their materialization. In other words, in advance of adversities manifesting to the level of business destabilization or lethality.

Of course, the strategic underlier to this argument is recognizing that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for future wealth creation and sustainability today lie in intangible, not tangible assets. This translates to rapid growth in the number of companies in every sector now operating with high levels of intangible asset intensity and dependency. Accordingly, far more risk mitigation – management initiatives and services should be focused on intangibles than tangibles.

As most risk mitigation – management professionals recognize all too well, a helpful prelude to executing either is for a relevant – comparable risk to materialize and adversely impact another company (preferably, a competitor) and produces…

• sudden and significant hemorrhaging of value, revenue, brand,
reputation, image, goodwill, and competitive advantages, etc.

• adverse public, political, and/or regulatory spillovers that lead to
long term hemorrhaging of market share, and erosion of customer-
client base, company value, and revenue generation capability.

It’s certainly not uncommon, when a significant business risk does materialize to adversely affect a company’s intangible assets, that previous c-suite unresponsiveness and/or expressions of indifference often give way to receptivity for substantive commitments to mitigate-manage business risk, preferably before they materialize.

Too, my experience notes, management team interest in risk will now likely include sustaining control, use, ownership, and value of the company’s intangible assets which are in the probable risk paths in the future, should they materialize.

Experience has also led me to conclude there are (generally) two key factors that influence how business risks will be received (interpreted, assessed) by c-suites, management teams, and boards and ultimately influence their propensity for action, e.g.,

• if the risks’ adverse outcomes are presented in objective-
quantitative contexts vs. subjective-qualitative contexts?

• if a risk is presented-characterized as being responsive to
prevention, mitigation, or management practices-techniques?

• if the risks, and their potential materialization are characterized
as single occurring, perhaps, one-off events, absent conveying
vulnerability-probability for multiple risks materializing

• if characterization of the risk includes potential for producing
enterprise-wide cascading affects that significantly elevate both the
cost and challenge to adversely affect business value and sources of
revenue, and stop competitive advantage hemorrhaging?

• if the risk advocate is inclined to over-dramatize vulnerability and
probability that certain risk will materialize, to the exclusion or
minimalization of criticality, i.e., near-long term adverse impacts.

As an intangible asset strategist and risk specialist, I seek consensus on matters of risk and try to avoid circumstances in which there are competing interpretations and assessments of particular- risks in terms of the company’s vulnerability to, the probability of, and a risks’ criticality to the company, should it materialize. An essential requisite to making a business risk presentation is to recognize that while management team and board may not be familiar with the intricacies of current business risks/threats, they typically grasp a ‘big picture’ and may have already framed certain perspectives about how best to address a risk, albeit from a managerial – financial position or an assumption regarding a company’s risk tolerance and/or risk threshold.

Intangibles, Messaging By Marketing Fear, Uncertainty, and Doubt?

May 30th, 2017. Published under Design thinking., Enterprise risk management.. No Comments.

Michael D. Moberly May 30, 2017 ‘A business intangible asset blog where attention span really matters’.

FUD (fear, uncertainty, and doubt) are intangibles, or, in some instances, liabilities, depending on the context (motive, intent) how each ‘factor’ is conveyed, i.e., dramatized or embellished to influence a particular (emotive) action, reaction from/by whomever-whatever is being targeted and assumed to be receptive to ‘FUD messaging’.

I believe it’s important to recognize that, when individuals’ rise to hold leadership – oversight positions which include platforms-venues which can be exploitatively used to practice ‘FUD messaging’, prudence and caution should be exercised.

On numerous occasions I have experienced marketing practitioners who, quite literally espouse the view that it is necessary to sew elements of FUD into every product – service marketing strategy. In these instances, it is assumed the presence of FUD are stimulants for human (buy, don’t buy) action. I sense persistent purveyors-proselytizers of FUD, as a marketing tactic-strategy, are variously inclined to sacrifice (minimize) facts, reason, and reality which may counter the ‘FUD factors’ which they are espousing. I want to believe prospective clients, and consumers in general, are not mere pawns to perceptions of exploitative FUD as the dominant driving stimuli to their decisions-actions.

One can routinely observe the principles of FUD at work, or carefully contrived variations, exploitatively and jointly woven into arrays of products – services characterized as mitigating and/or remediating a particular risk. In these circumstances, elements-factors of FUD are integrated (exploited) as the primary underlier to a marketing (buy in) strategy to appeal to targeted populations of prospective buyer’s – client’s circumstances, needs, aspirations, or frustrations with the status quo.

Some attribute – believe humans are receptive to characterizations of fear, uncertainty, and doubt because they…

• are grammatically and visually easy to convey and assume can-will

• can influence those receptive, to assume the product-service being marketed is a quick and simple (single) fix, e.g., if x is purchased and deployed, a specific (set, range of) risks, problems, and/or frustrations, at least how they are perceived, will be substantially reduced, if not go away altogether.

Deploying Risk Mitigators For Intangible Assets

February 20th, 2017. Published under Due Diligence and Risk Assessments, Enterprise risk management., Sustainability of intangible assets.. No Comments.

Michael D. Moberly February 20, 2017 ‘A business intangible asset blog where attention span really matters’!

Deploying IA-specific ‘risk mitigators’, at the right time, to the right set of assets, and in the right manner can deliver obvious benefits, i.e., counter, prevent, and/or mitigate risk. Those are the obvious and desired outcomes. But, also, when company leadership and (risk) management teams recognize IA-specific risk mitigators are applicable-relevant to most any circumstance where valuable – revenue generating – competitive advantage producing IA’s are being developed and/or already in play, their contributory value rises accordingly.

For most business circumstances, the presence of and the potential for significant (IA specific) risk to materialize and variously jeopardize an IA-dominant undertaking or transaction is real and persistent. The initial management team action, in my judgment, preferably undertaken in advance, should be to do what is necessary to try to mitigate or prevent those risks from materializing – elevating to the point they can adversely (irreversibly) affect an outcome.

Effectively mitigating-preventing risks directed to undertakings dominated by IA’s or myriad of other business transaction circumstances, for that matter, lie in recognizing that putting risk mitigators in place, at the right time, focused on the right set of assets, i.e., those in play, and in the right manner, can deliver obvious and necessary benefits. The benefits are two-pronged, i.e., (1,) to thwart, counter, and mitigate risk, and (2.) measurably contribute to more valuable and competitive (desired) outcomes.

Those business leaders and management teams who assume risks to a IA’s can be adequately dealt with via the purchase of conventional business insurance (riders), without deploying risk mitigators, I suggest, have misread – misunderstood the current risk environment. That is, the ‘keystroke speed’ and asset-specific targeting capabilities of ultra-sophisticated and predatorial global economic and competitive advantage adversaries with advanced data mining technologies, have indeed become the norm, certainly not an anecdotal (one off) exception.

The effective and timely deployment of IA-specific risk mitigators (at the right time, right place, and right way) are businesses’ prelude to – segue for ensuring the IA’s in play remain as fully intact as possible in terms of their capability to continue to generate value, produce sources of revenue, and underlie competitive advantages.

The primary objectives to deploying IA-specific risk mitigators are to affect the assets’, and their holders’ receptivity – vulnerability to compromise and/or undermining throughout the contributory value – materiality cycle of the assets. This is best achieved when there are coordinated processes – actions in place to recognize, monitor, sustain, and acknowledge…

• asset’s exposure to costly and momentum stifling (risk) acts-events.
• IA’s contributory role and value will favorably distinguish companies
within their sector.
• necessary levels of control, use, ownership, value, equity, and resilience
for the IA’s.
• deployment of IA-specific risk mitigators are not mere operational
electives that can be dropped, dismissed, or delayed indefinitely.

As consistently conveyed since the ‘Business IP and Intangible Asset Blog’ published its initial post in May, 2006, whenever, however, and wherever valuable, revenue generating, and competitive advantage IA’s are in play, company-business leadership and management teams are obliged to consider there will be various types, levels, and motives for (IA-specific) risks to materialize.

The acts of, assessing and monitoring IA-specific risks and identifying effective techniques – strategies to prevent, mitigate, or neutralize, does not require leaders to reach beyond-outside their professional domains of expertise in order to take the necessary action.

Perhaps the most important-relevant component to IA-specific risk mitigation is to…

avoid making purely arbitrary-subjective assumptions about
circumstances when, where, how, and why particular IA’s are
in play and their vulnerability to risk, e.g., fragility,
stability, defensibility, and liquidity if-when compromised.

A common denominator to most all IA-specific risk (and, management) is the persistent presence of (global) economic and competitive advantage (legacy free) adversaries, ultra-sophisticated data mining technologies and methodologies, anyone-of-which by their actions and capabilities, impose consistent risk.

Global Business Risks, Their Changing State

January 29th, 2015. Published under Enterprise risk management.. No Comments.

Michael D. Moberly    January 29, 2015   ‘A blog where attention span really matters’!

World Economic Forum reports, out of necessity, are generally framed in neutral 30,000 foot altitude contexts.  More specifically, the 2015 WEF Risk Report projects ten risk challenges which are likely to materialize in the coming decade. For me, I would be hesitant to catalog those projections as constituting ‘rocket science’.   What is a form of ‘rocket science’ however, is designing and executing viable strategies to, at minimum, mitigate those risks to merge the chasm of pleasing stake/share holders and companies becoming stagnatingly risk averse.

Among the contributors to – framers of the 2015 Risk Report, I suspect consensus was rather easily achieved. There are some important distinctions however that warrant pointing out, which are, through my lens anyway, significant business risks can manifest much more rapidly today, often ‘overnight’, and there are few examples such risks dissipate, even remotely, with equal rapidity. Instead, they persist, fester, and frequently exacerbate in their complexity and volatility, resembling reputation risks.

Should this be a reasonably correct perspective, it leaves me with the notion that, for greater numbers of global business risks, prevention and/or resolution are rapidly becoming increasingly illogical options, instead, temporary (risk) mitigation is the best most can hope for and can viably achieve.

As a strategic aid to unravel this phenomena further, it certainly would have been useful had the WEF directly addressed their projected business risks in light of the economic fact that today, 80+% of most company’s value and primary sources of revenue globally speaking, lie in – evolve directly from intangible assets!

Reputation Risks vs. Public Relations

November 5th, 2014. Published under Enterprise risk management., Fiduciary Responsibility, Reputation risk.. No Comments.

Michael D. Moberly     November 5, 2014   ‘A long form blog where attention span really matters’!

‘Houston, we’ve got a problem’!  The problem, in my view, is that there are far too many business decision, makers, c-suites, boards, and management teams who persist in framing and seeking resolution to their company’s – businesses’ public persona through conventional public relations lens and not as, in most instances, they should, through a very nuanced and sector specific reputation risk lens.

There seems to be no end to the number of globally operating companies, irrespective of sector, which have taken substantial ‘direct hits’ to their reputation of late. To be sure, reputation risk is certainly not the exclusive domain of Fortune designated firms. And too, there is no indication the number, or the criticality associated with reputation risks will diminish, at least in the near term.

Relevant U.S. Congressional Committees are consistently geared up for investigatory hearings, and yes, numerous have political underliers. That notwithstanding, they all essentially seek answers to the proverbial questions, i.e., who knew what, when did they know it, and what, if anything, did they do about it upon first learning about it’.

Collectively, this should prompt us to ask, and quite correctly so in my judgment…

  • are these mere public relations issues which presumably can be adequately managed through various conventional and social media platforms and public statements and presumptively dissipate with no long term detrimental – adverse financial and/or competitive advantage affects?
  • or, are adverse acts, events, and/or oversights that materialize, the inevitable outcome of dispersed manufacturing and operational (quality control) failures, which, when they come to light, have a higher probability of manifesting as substantial, long term, and potentially irreversible (semi-permanent) risks to a company’s reputation which conventional public relations initiatives may exacerbate instead of ameliorate.

The intangible asset ‘risk of risks’ is a company’s reputation!

Company reputation is an intangible asset of the first order.  So, perhaps it would be useful to say again it an economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, competitiveness, and sustainability lie in or evolve directly from intangible assets, of which reputation is one.

Respectfully, I suspect this economic fact may have prompted The Economist’s Intelligence Unit (EIU) to produce a ‘global risk briefing’ paper titled Reputation: Risk of Risks.

Company reputation is defined (in the Economists’ report) as ‘how a business is perceived by stakeholders, including customers, investors, regulators, the media, and the wider public’.  To be sure, a company’s reputation ‘declines when things fall short of expectations’.  When not one, but multiple consumers – users expectations are not met by a company’s products or services, then it’s unlikely comprehensive and long term remediation will come through conventional public relation strategies.

Company reputation is a prized and increasingly valuable, yet vulnerable and even sometimes fragile asset which the respondents to the EIU survey agreed by stating that sustaining a positive company reputation is a main concern for the majority of risk managers, ahead of, for example…

  • regulatory risk
  • human capital risk
  • IT network risk
  • market risk, and
  • credit risk.

It’s fair to say now that company reputation risk has risen to the level of being a fiduciary responsibility (and concern) that extends well beyond senior risk managers to being permanent fixtures on company management team dashboards, i.e., Stone v Ritter.

In most instances, companies would be well advised to acquire a deeper appreciation, clarity, and understanding of the asymmetric nature (elements) of reputation risk which can be summed up as…unsatisfactory (poor) company reputation can rapidly, and often times irreversibly and adversely affect a company economically and competitively, aside from the embarrassing and probing questions that will be inevitably posed by the media Congressional Committee members, especially, those who have constituent(s) who personally suffered due to a company’s obvious absence of understanding and correcting reputational risks in a timely manner.

Preferably, reputation risks are identified, assessed, and remediation is commenced in a manner that meets or exceeds regulatory agency oversight, statutory requirements and before unwitting consumers die or become injured as a consequence.

As always, readers comments are most welcome!

New Drivers of Computer/IT Security: Contributory Value, Materiality, and Risk!

November 4th, 2014. Published under Cyber security, Enterprise risk management.. 2 Comments.

Michael D. Moberly   November 4, 2014   ‘A blog where attention span really matters’!

Achieving efficiencies by differentiating the information and data being safeguarded…

Aside, for the moment, statutory and regulatory mandates, I am increasingly confident the day is quickly approaching (in many instances, it already has, in my judgment) when it becomes impractical for companies to assume the costs and time of installing ever bigger, one size fits all, snap-shot-in-time firewalls and data/information security – protection systems and products to try to thwart the growing numbers of intensely sophisticated and global economic and competitive advantage adversaries and legacy free players, aka hackers.

There are two key and inter-related reasons why I believe this to not only be true, but an inevitability.

First, it is a globally universal and irreversible economic fact that rising percentages – 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, primarily in the form of intellectual, structural, and relationship/social capital and other forms of intellectual property.

Second, data/information generation, storage, and archival needs are continually ratcheting up from megabytes, gigabytes, to terabytes+, particularly in intangible asset intensive and dependant companies and R&D sectors.

So, out of necessity to achieve cost efficiencies and a more specified return on investment, technologies must be developed with heretofore unique capabilities to differentiate company information and data that should receive the maximum IT/computer safeguards, which initially I propose, encompass the following four factors, i.e., the (intangible) assets…

  • contributory value to a particular project, product, and/or the company’s mission.
  • continued materiality to a particular project, product, and/or the company’s mission.
  • level of assessed risk to theft, infringement, misappropriation, etc.
  • relevance to a company’s reputation (image, goodwill, brand) etc.

Reputation Risk Cyber Attacks

March 5th, 2014. Published under Enterprise risk management., Reputation risk.. No Comments.

Michael D. Moberly    March 5, 2014    ‘A blog where attention span really matters’.

According to Homeland Security News (March 4th) there is rising anxiety over the possibility of a cyber-attack on the U.S. power grid. In other words, both the private (industry) and government sectors respectively remain insufficiently set up to effectively counter the risks – threats posed by the cyber arena.

The report was produced by a Washington nonprofit called the Bipartisan Policy Center which admittedly did not produce much interest, primarily because there are literally hundreds of such entities ensconced throughout the ever expanding Washington, D.C. circular interstate highway system, many, if not most of which consistently seek notoriety and efficacy based on their presumed expertise and/or sought after endorsements from publicly recognized experts or airplay on C-SPAN.

With respect to this particular report, what did strike me as it having a higher level of credibility was that it was reportedly led by individuals whom most would agree possess unique insights into the subject matter, i.e., Michael V. Hayden, the former NSA and CIA director and Curt Hébert Jr., a former chairman of the Federal Energy Regulatory Commission.

Readers are respectively reminded that the U.S. is one of a very few countries in which much of its infrastructure, i.e., utilities, transportation, communication, healthcare, banking, water, etc., are under private sector ownership. So what turned out to be no particular surprise in the report, but still distressing, is that a percentage of these companies remain variously reluctant to share (cyber-security, cyber-attack) information with other companies presumably inside or outside their infrastructure sector.

I understand the rationale behind most such reluctance, that is, to openly share experiential information, the basis for which has been loudly and repeatedly conveyed following the terrorist attacks of September 11, 2001, because it involves the potential for antitrust violations, or merely giving away very expensive and proprietary intellectual and structural capital that delivers competitive advantages, along with numerous other intangible assets.

That said, I am unaware of any disagreement among the more notable players and information sharing advocates (related to cyber-security and attacks) is that ‘sharing’ is essential to reducing – mitigating vulnerability which can be accompanied by the wrath, scorn, and certainly reputation risk, all of which will surely materialize and be directed to companies accused of not sharing and/or being out of compliance with cyber-security ‘rules of the day’.

Equally troubling, the report cites, are federal rules intended to safeguard, the electric/power utilities from cyber-attack, which, as one example, have a basic flaw, which is, they do not give companies sufficient incentive to continually improve and adapt to ever changing cyber risks and threats.

In my judgment, perhaps the most telling aspects of the report are…

  • public utility commissions are generally well set up to address new problems, presumably risks and threat to their systems and grids for which regulated utilities can add security costs to the expenses which they bill their customers, providing the regulators determine those expenditures to be prudent and warranted.  The problem lies, the report say, in the reality that many regulators lack sufficient expertise to make – distingush these types of judgments.


  • the report alos raised the issue that public utility commissioners, who decide which utility expenses are prudent and eligible to be passed on to customers, have trouble determining the value of such (security) investments.


  • outside experts who were not involved with the report, nevertheless, endorsed some of its findings, e.g., Samuel P. Liles, of Purdue University’s Cyber Forensics Laboratory, rather pessimistically characterized risk – threat information sharing best practices as constituting “hit or a miss” propositions.


  • Nadya Bartol, a cybersecurity expert with the Utilities Telecom Council, a trade association of electric and water utilities, said the report was correct in asserting that utilities might not always come forward with helpful information.  The reason, she says, is because “if utilities say, ‘I have this vulnerability,’ they may be subject to fines if the cited vulnerability turns out to be a violation.  Too, this circumstance thus may prompt additional hesitation – reluctance to talk about cyber vulnerabilities because, “if a utility puts it out in the public space, it elevates the probability they may get hacked even more.”

As a side note to the general findings of this report, on the morning of September 11, 2001, within minutes of the terrorist attacks on the Pentagon, I received calls from former students who were employed in various agencies in the District of Columbia describing to me in detail, their personal observations of what was occurring. Having military experience myself, and being an ardent researcher in information asset protection strategy, I rather instinctively called an acquaintance who’s role was director of security for a super computing environment and asked her if she was observing any potential adverse activity on ‘the grid’.

My concern, and that of thousands of others, were that the attacks at the World Trade Center and Pentagon were possibly forerunners to larger secondary, but perhaps, more expansive ‘cyber attacks’ on the U.S. infrastructure.

Interestingly, the response I received from my super computer security expert was the following, ‘Mike, I don’t know if anything adverse is occurring on the grid, I’m watching CNN, I will get back to you’!

Intangible Asset Risk Assessments: Qualitative vs. Quantitative

February 27th, 2014. Published under Communicating Risk, Due Diligence and Risk Assessments, Enterprise risk management.. No Comments.

 Michael D. Moberly    February 27, 2014   ‘A blog where attention span really matters’.

As most readers of this blog recognize, generally through their personal – professional experiences, assessment and management of (company) risk has indeed become increasingly more complex and multi-faceted, particularly as we endeavor to guide our company’s and/or clients through the respective operational, audit, compliance, and budgeting obstacle course.

Throughout this so-called obstacle course, it is likely we will become inclined, at some point, to justify most, if not all of the factors used to assign a reasonably correct ‘risk rating’ to the various business units within our company or that of our clients.

But, and probably rightfully so, more company decision makers are requiring quantitative (data) driven findings to support a particular risk rating. So, no longer can security – risk management practitioners find comfort by focusing their attention almost exclusively the rather archaic latest zero-day risk materialization or exploitation events. To be sure, that landscape has changed so significantly that we must assume greater responsibilities.

So, in the security, asset protection, and risk-threat assessment and management arena, presenting a risk-threat rating that is simply or solely based on numbers may not result in the best (risk, threat) analysis that we are seeking. Thus, one path that gets us closer to arriving at a more accurate understanding of the actual risk-threat level necessary for business strategic planning and decision making, it’s necessary to introduce and factor multiple elements in the risk-threat analysis equation.

Thus, as we more routinely adopt a more inclusive and/or multi-dimensional view toward assessing risks and threats, additional complexity will likely be one outcome, e.g., quantitative and qualitative forms of measurement.

Quantitative risk-threat assessment…
Quantitative risk assessment surfaces as we develop the ability to assign a (specific) dollar amount/value to a specific risk or threat should it materialize. As an example, let’s apply quantitative risk assessment to a healthcare institution.

For simplicity, there are 1,000 confidential patient records and data that reside in a single database. This particular database is directly accessible by a web server which resides in a semi-trusted environment.  That of course, constitutes a vulnerability (risk) in itself, and any compromise of the method in which the web server communicates with the database would likely result in the exposure (comprise) of all 1,000 patient records holding confidential data as conveyed by HIPPA (Health Insurance Protection and Portability Act).

Too, for discussion sake, and to add further complexity, during a recent ‘business impact analysis’ or BIA, it was found that the replacement cost for each compromised patient record would be $30. This cost includes (a.) contacting each patient to inform them of the compromise, (b.) changing each patients account numbers, and (c.) printing new health cards.

From this, one can easily determine that the maximum quantitative loss associated with a full compromise of that system is conservatively estimated at $30,000, excluding of course, the inevitable litigation. No doubt, as readers already surmise, there is more to consider. But does quantitative risk always have to ‘map out’ the money (loss or cost) aspects associated with materialized risks-threats?, probably not, because in many instances controls are automated with internally consistent and repeatable numbers being generated that can be used to create an alert dashboard or report directed to business unit managers when breaches or other adverse events occur.

Qualitative risk-threat assessment

Qualitative risk-threat assessment, on the other hand takes a different form. To demonstrate qualitative risk-threat assessment it is important to introduce additional factors, i.e., threat-risk vectors into the above example.

The first is, we learn that the patient database that previously held 1,000 records will now hold 10,000 records, possibly rising to 500,000 patient records. We also learn that (a.) multiple groups and/or business units within the healthcare institution will have access, and (b.) the capability to modify patient records, and (c.) the database/system will now come under the control of a different unit, i.e., the company’s Operations Group.

Obviously, substantive changes like this elevate – bring additional complexity to the risk-threat assessment we are endeavoring to calculate.  Too add yet another layer of complexity to our risk-threat analysis, we are informed by the audit unit that the data in the database is (d.) neither encrypted in transit to the web server or at rest on the database. The coup de grace follows with the audit unit giving exactly ninety days to document and remediate these adverse set of circumstances, i.e., risks, threats, vulnerabilities, because, as it stands, this healthcare institutions IT system is not in compliance with HIPAA.  Collectively, the additional factors serve to expand the risk-threat equation.

Now that these vulnerabilities (risks, threats) are known to exist relative to the institutions’ IT system, the next steps involve determining (a.) linking costs to any actual compromise, i.e., the materialization of a risk-threat or vulnerability being exploited, and also (b.) the probability that a specific or possible multiple vulnerabilities that have been identified will be discovered and adversely exploited by bad actors, or (c.) a single vulnerability materializing and cascading throughout the IT system.

Assessment process…

The assessment process commences by examining the cost(s) associated with potential compromises, as (a.) single acts, (b.) as multiple acts occurring simultaneously, and (c.) the potential for adverse cascading effects throughout the institution, well beyond perhaps the IT system itself.

Because we now know there may be in excess of 500,000 confidential patient records stored on the database, it’s often prudent to consider – factor absolute worst-case scenarios, i.e.,

500,000 records X $30 remediation cost per record = $15 million.

In most any company’s perspective, the possibility of $15 million dollars being ‘at risk’ is significant. One problem associated with relying solely on this formula is that it is largely one-dimensional. In other words, just because a banks has $100 million in cash in its vault does not translate that the money could be easily stolen from the vault.

So, being prudent security – risk management professionals, we must have other way in which to assign a particular level of risk to a particular vulnerability that fully considers multiple (known) risk factors, not just one, or absent the possibility multiple risks could materialize in some manner of sequence and cascade.  Such added (risk-threat-vulnerability) complexities should prompt practitioners to re-visit qualitative risk ratings.

One reason is because many companies, organizations, and institutions learn there is a necessity to have multiple, perhaps three to five qualitative risk levels which may be addressed in relatively simple, but in my view, ambiguous terms like low, medium and high.

Sources for quantitative and qualitative data…

Based on my own experiences, I, and many other security – risk management professionals information and insight related to quantifying probabilities for risk-threat materialization is acquired from such sources (a.) penetration tests, and (b.) vulnerability scanners.

Generally, these sources produce good and relevant information, but it’s important to acknowledge that it may be from delivering the necessary complete risk-threat-vulnerability picture because either can, and frequently does change rapidly and routinely. Consequently, in addition to conventional risk-threat-vulnerability assessments, each must be routinely monitored for the inevitable changes. A critical part of which is internal, that is information about the activities of legitimate and authorized users of the IT systems, i.e., such things as where do they go, what do they do, what do they click on, etc.

Welcome inspiration for this post is gratefully attributed to Stephen Sims of the Sans Institute  Other Related Articles in Audit and Governance


Pharmaceutical Company’s ‘Futures Market’ for Reputation Risk

February 6th, 2014. Published under Enterprise risk management., Reputation risk.. No Comments.

Michael D. Moberly    February 6, 2014   ‘A blog where attention span really matters’.

Pharmaceutical company’s ‘futures market’ for reputational risk, kicking the ‘reputational risk can down the road’.

As regular readers of this blog know, I am an intangible asset strategist and risk specialist who also has a strong interest in most ‘all things intangible’ including offering guidance to companies to avoid incurring potentially costly and with increasing frequency, irreversible reputational risks.

I am also an ardent NPR (National Public Radio) listener.  Recently I listened to an NPR program, i.e., The Dianne Rehm Show, in which had three well versed guests variously addressed, from their respective perspectives, the subject of ‘low testosterone’ for men, of course with the benefit of Ms. Rehm’s formidable probing questions.

During the program, while listening to Ms. Rehm’s questions and the responses and remarks made by her guests, it occurred to me that pharmaceutical drug pitches, now well embedded in every media marketing format, may collectively constitute, for lack of a better term, a ‘futures market’ for reputational risk to ‘big pharma’.

My point is this, there are potential ‘future) reputational risks these media campaigns may pose to pharmaceutical companies in terms of influencing viewers/readers, i.e., men, to ‘self diagnose’ based on a generalized check list of physical and emotional symptoms someone has deemed to be associated with men experiencing low testosterone.

So, prompted no doubt, in large part, by the significant rise in prescriptions being written for drugs marketed as elevating or balancing men’s testosterone levels as necessary to mitigate or relieve men of the symptoms the media advertisements have associated with men experiencing ‘low T’.  Now, we learn there are various research entities, including the FDA which have identified specific adverse side effects to consuming these drugs by men, several of which may rather obviously outweigh the benefits, e.g., elevating one’s vulnerability to incurring a heart attack in the initial 70+ days of taking the drug.

To bring more clarity to my question, are pharmaceutical companies that engage in media – marketing presentations aimed at producing not so subtle subliminal inclinations for viewers to (a.) self-diagnose based on the laundry list of symptom descriptors, and (b.) actually seek these recommended’ therapies from their physician, may be positioning (auctioning) themselves to incur future reputational risks in favor of more immediate revenue generation and profit making?

Too, one must ask whether skillfully created media messages that portray a particular disease as perhaps being more prevalent than it really may be, prompts me to reconsider the old adage of ‘the tail wagging the dog’, or, are drugs being manufactured in search of a disease?

The intent seems rather evident, that is to (a.) elevate awareness linked with readily understood symptoms, in order to (b.) create a broader market demand for the drug, when again, the health benefits or adverse complications are yet to be fully understood.

I claim to possess no insight or medical background to make any medical judgments on this matter.  However, through my lens as an intangible asset strategist and risk specialist with strong interest in objectively elevating operational familiarity about corporate reputation risks, I find this, and other similar circumstances akin to ‘kicking the reputation risk can down the road’.  That is, profitability now and costly reputation risk tomorrow, should this or other drugs are found or confirmed to be more physically or emotionally detrimental than what’s being conveyed in the media marketing disclaimers.