Archive for 'Organizational resilience and business continuity/conti'

Mutually Assured Destruction – Disruption of Intangible Assets, Overlooked Risk

July 21st, 2017. Published under Cyber security, cyber warfare., Organizational resilience and business continuity/conti. No Comments.

Michael D. Moberly July 21, 2017 ‘A business intangible asset blog where attention span really matters’!

Throughout the 1960’s, ala ‘the Cold War’ period, there were consistent references by governments and defense sectors’ regarding a relatively new capability, i.e., MAD (mutually assured destruction). Opposing countries, presumably the United States and the former USSR, now Russia, possessed sufficient triads of nuclear (war) capability, i.e., sea, air, and land based-launched missiles and bombs, a consequence of which, if used, would assure mutual destruction and annihilation of both. Indeed, a perverted approach to deterrence.

A somewhat similar analogy is evident today, but its origins do not lie in the delivery of nuclear weaponry, rather in various anonymity of cyber-attacks, or cyberwarfare, designed to destroy functionality and/or substantially disrupt multiple components of a targeted country’s cyber-based and interconnected infrastructure, hence, a ‘mutually assured disruption’ of a country’s cyber ecosystem.

Cyber warfare (massive cyber-attack) would produce substantial loss of life in-many-different ways, aside from the seismic power of a nuclear warhead blast. In a MAD context, the outcome of a comprehensive cyberwar would likely produce no definitive winner or loser as often portrayed in conventional wars and/or battles. Instead, the outcome would likely be characterized and measured in almost diminutive contexts based on system redundancies and organizational – system resilience.

On the morning of September 11, 2001, I and others presumed the purposeful aircraft strikes in New York and Washington were probably diversionary, to be followed by attacks, cyber, and otherwise, in the U.S. The probable targets would be public – private components of the national infrastructure whose services and functionality are beholden to interwoven IT systems, which, at the time, were incredulously vulnerable.

Not unlike many others who anticipated this ‘follow-up’ potentiality scenario, prompted me to contact colleagues, on the morning of 911, employed in various sectors throughout the U.S., one of which was serving at a top-tier university overseeing their ‘super-computing’ center. My rationale for contacting this individual, lie in the notion that a super-computing center would presumably have the capability to detect, at least the precursors, to impending cyber-attacks which may have already launched and ‘were on their way’. To my less than comforting amazement, this rationale, in this instance, at-this-time, proved much flawed. So, regardless of the degree-level of familiarity and/or expertise with computer security and system breach detection, recognizing and mounting effective defenses against multi-dimensional cyber-attacks were relatively new concepts, largely absent sufficient software-hardware to execute effectively and instantaneously.

The capability to thwart, mitigate, or contain the asymmetric, adverse, and inevitable cascading effects that coordinated cyber-attacks would likely produce, by design, presents obvious challenges and substantial costs insofar as preparing companies and organizations to reasonably keep pace with the infinite, asymmetric, anonymous and ‘stand-off’ methodologies of (cyber) risks and threats which can materialize anytime and anyplace leaving little or no vapor trail to investigate while maximizing disruption and chaos to a company or organization.

There is little doubt today, that management teams, c-suites, and boards, ranging from Fortune ranked firms, SME’s (small, medium enterprises), and RBSU’s (research-based startups) routinely engage in discussions regarding the practicalities and costs of deploying good-better-best cyber risk mitigation (data-information security) products.

As an intangible asset strategist, risk specialist, researcher, author, and trainer, my experience suggests there are, at minimum, two multi-related reasons why these discussions are inevitable and expanding to every business sector…

• it is a universal and irreversible economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability today lie in – evolve directly from intangible assets, primarily, intellectual, structural, relationship-social and competitive capital.

• data/information generation, storage, and at will retrieval demands are continually ratcheting up to infinite levels, variously aligned to the rapid recognition and rise of intangible asset intensive and dependent companies.

To be sure, efforts to thwart the actions of the growing global array of ultra-sophisticated economic and competitive advantage adversaries and legacy free players engaged in hacking and/or state sponsored entities capable of delivering highly specific, targeted, or broad-based cyber-attacks are challenges which cannot be dismissed or relegated to the uninitiated or unfamiliar.

I am certainly not suggesting public-private U.S. entities disregard their fiduciary responsibilities or regulatory mandates to safeguard data. Instead, I am suggesting any entities’ mandate to mitigate operational disruptions re-examine same in organizational resilience contexts to ensure they bear capabilities to differentiate proprietary information and data on a continuum. For example, differentiating data-information that encompass these factors as valuable – competitive advantage intangible assets, e.g., their
contributory role, value, and materiality to a particular-project, product, and/or the company’s mission and/or relevance to reputation and brand.

Organizational Resilience, Building It Really Matters!

July 12th, 2017. Published under Intangible asset risk tolerances and thresholds., Organizational resilience and business continuity/conti. No Comments.

Michael D. Moberly Intangible Asset Strategist, Risk Specialist, Trainer, and Author July 12, 2017 ‘A business intangible asset blog where attention span really matters’.

When 80+% of most company’s value, sources of revenue, competitive advantage, and sustainability today lie in – emerge directly from intangible assets…

It’s essential to know a company’s risk threshold – tolerance for every transaction and initiative undertaken, assess and mitigate the risks, and have contingencies in place to achieve rapid and more complete recovery when disruptive risks materialize!

In my judgment, it’s important for business leadership and management teams to acknowledge, that risk (i.e., to a company’s value, sources of revenue, competitive advantage, and sustainability, etc.) is not consistently synonymous with today’s notion of ‘threats’ even though they are routinely expressed as being interchangeable. Business risks are mercurial, that is, they manifest as market change and politically induced instability, supply chain fragility, interconnectivity challenges, problems associated with infrastructure in need of repair and maintenance, changing demographics and behaviors, and, of course, climate.

Ensuring your company is resilient and agile to accommodating – incorporating these and other challenges are key to preparing for risk and uncertainty.

Achieving organizational resilience should not be construed as a necessarily complex or costly undertaking. Companies today are obliged, approaching a fiduciary level responsibility…
• to not only identify potentially (business-wide) disruptive risks.
• but also, mitigate those risks, objectively measured as substantially
elevating probability that the activity, initiative, transaction
being engaged.
• will achieve the desired-projected outcome.
• and, a significant disruption, should it occur, will not cascade to
adversely – irreversibly affect a company’s ability to operate.

Again, the path toward achieving organizational resiliency includes recognizing-distinguishing…
• the various and particular, types and/or sets of risk which may
• the various circumstances which cause – contribute to such risks
• objectively assess (measure) each relative to the company’s
vulnerability, the probability the risks will materialize, and their
criticality to the business operability should they materialize.

A common challenge company leadership experience in assessing business disruptive risks lies in…
• transcending the subjective (guesses, anecdotes) to the quantifiably
• effectively integrating the lesser intrusive measures to monitor,
preclude, and mitigate designated risks.
• preparing-allowing a business to effectively and rapidly respond to
and commence recovery from materialized risks, especially those which
can disrupt (adversely affect) a business’s value, revenue producing
capacity, and essential components to its supply chain.

Each organization (private, for profit, public, not-for-profit, startups, etc.) can seldom escape all risk. It’s prudent therefore to consider risk as being…
• ever and asymmetrically present.
• embedded with variables which affect how, when, where, why, and what
type of risk manifests.

In-order-to sustain a desired level of organization-wide (risk) resilience, competitiveness, and performance, organizations are obliged to have systems, practices, and procedures in place to…
• not-so-much manage, rather mitigate – suspend the most significant
risks, e.g.,
o objectively reaching consensus insofar as the level, type, duration
of risk and uncertainty a company can tolerate or is willing to
o how to (cost, resource) effectively the monitoring and mitigation of
specific risk and uncertainty, and
o recognize when either measurably rises above the tolerable –
acceptable level to warrant additional interventions.
o all-the-while, meeting the organizations’ operational and financial

Given the usual resource parameters which most organizations operate, it is increasingly important that companies have (resiliency) options ‘at the ready’. This often translates as having sufficient layers-levels of resilience to monitor, mitigate, and recover from various hazards and risks a sector specific company may prudently assume it will encounter, particularly with respect to its intangible assets, which are invariably in play. Interestingly, national, professional association, and international standards will be playing an ever-increasing role in the management of operational risks organizations face, e.g., ANSI/ASIS American National Standard, Organizational Resilience: Security, Preparedness, and Continuity Management Systems— Requirements with Guidance for Use (ASIS SPC.1-2009).

One strategy for business leadership and management teams to become better acclimated to today’s aggressive and predatorial ‘go fast, go hard, go global’ transaction environment, is to periodically remind themselves that it is an irreversible economic fact, that 80+% of most company’s value, sources of revenue, future wealth creation, and sustainability today lie in – directly emerge from intangible assets. Thus, those engaged in achieving ‘organization-wide resilience’, conceptually and practically, are obligated to factor intangible assets in their resilience planning and practice.

Similarly, it’s important to recognize the principles – foundations of organization resilience are not merely superficially tweaked versions of conventional (business) ‘continuity and contingency planning’. Admittedly, the latter variously remains a common framework that many business leaders and management teams conceptually rely, irrespective of its reactive, and far less proactive inclination. Whereas, organization resilience, in principle and practice, is embedded with a singularly proactive mantra through its execution as an informed ‘management system’.

It’s surely (increasingly) self-evident, that an organizations’ ability to quickly, efficiently, and rapidly adapt to change, whether the change manifests as market forces, environmental factors, or various types-levels of risk, or a host of other potentially disruptive acts – events, that simply being more organizationally resilient is one of those good, better, best options. Of course, and again, the organizationally resilient options any company should undertake, should be durable, monitorable, responsive, and provide for comprehensive and rapid recovery. In other words, organizational resilience should no longer be dismissed nor subordinated to convention, i.e., a tweaked version of continuity – contingency planning.

In today’s predatorial, go fast, go hard, go global business (transaction) environment in which risks are numerous, asymmetric, and ‘coming at your company 24/7’, taking time to objectively examine the benefits of becoming more organizationally resilient in posture and practice can indeed, be a worthy use of time for any business leader, management team, board, and stakeholder.

Intangible Assets As Business Multipliers

July 25th, 2016. Published under Intangibles as strategic assets, Managing intangible assets, Organizational resilience and business continuity/conti. No Comments.

Michael D. Moberly July 25, 2016 ‘A business blog where attention span really matters’!

The word ‘multiplier’, as I have observed its application, has been primarily in military – combat contexts as force multipliers. Observation and strike capable drones for example, are force multipliers because of the operational – observational advantages they provide to various military units needing real time intelligence and possibly offensive action.

However, on the business side, as an IA (intangible asset) strategist and risk specialist, I consider a company’s IA’s as representing a distinctive form/context of business multipliers. Throughout the private sector, IA’s, originate in – arise from valuable intellectual, structural, relationship, and competitive capital or, IA’s.

Preferably, business c-suites and their management teams recognize how IA’s translate, convert, or monetize as competitive tactics, processes, and/or commodities to (collectively – collaboratively) ‘multiply’ – contribute to the effectiveness, efficiency, output, revenue, and/or value of a particular operating group, project, or process.

Either way, when IA’s are acknowledged and effectively integrated in a particular initiative, project, or even organization-wide, they can, and frequently do, favorably impact efficiency, effectiveness, and productivity, which translates as value, sources of revenue, and competitiveness, that otherwise may not have been acknowledged. That’s particularly evident in business environments in which there is little or no receptivity to IA’s either in terms of their usefulness, accounting, internal development, external acquisition, or maturation – conversion often due to a misperception that doing so would disrupt the status quo or create new risk.

IA-based multipliers, also refer to attributes or combinations of competitive inputs which again, often manifest most favorably when collectively-collaboratively drawn from existing intellectual, structural, relationship, and competitive capital. A general example where this has occurred is the package delivery sector as most firms recognized the obvious efficiencies which could accrue by integrating – coordinating both GPS (global positioning) and RFID (radio frequency identification) technologies which converted to growth in value, competitive advantage, and revenue generation capability. Standing alone, both GPS and RFID are tangible-physical assets (technologies), but the intellectual, relationship, structural, and competitive capital which together recognized – linked their application to the global package delivery sector should not be dismissed.

In this instance, GPS and RFID deliverables largely manifest as contributory and competitive IA’s that facilitate-enable the package delivery sector to receive, process, sort, and deliver substantially more orders and packages more efficiently compared to competitors that have yet to incorporate those multipliers.

For those operationally familiar with IA’s, i.e., their origins, development, and integration, in most instances, can (and should) also be leveraged – exploited as, among other things, value proposition multipliers, which in turn, confer credibility and rationale to capital outlays to pursue, purchase, and integrate the multipliers, ala GPS and RFID systems, while recognizing the various IA’s such multipliers produce and strengthen.

So, as more operational clarity is brought to IA’s contributory role and value as multipliers, organization c-suites, boards, and management teams will recognize – materialize as…
• expansions of operational prerogatives and boundaries that correlate with IA development, utilization, and
• decision – transaction outcomes becoming more predictable and lucrative whenever, however, and wherever,
IA’s are in play.
• the necessity for OR (organizational resilience) planning to facilitate quicker and more complete economic-
competitive advantage recovery following a significant business disruption or materialization of reputation
risk, etc.

Risk Tolerance – Appetite: Where Does Your Company Stand?

May 12th, 2015. Published under Organizational resilience and business continuity/conti. No Comments.

Michael D. Moberly    May 12, 2015   ‘A blog where attention span really matters!’

In my corner of the business world where 80+% of most company’s value and sources of revenue lie in – evolve directly from IA’s (intangible assets), it’s routine for me to cross paths with very astute, experienced, and financially successful company management team members (c-suites). Somewhat ironically, at least through my lens, many quite cavalierly express the view that it’s impossible to eliminate all (business) risk. I have come to interpret, quite correctly I believe, that mantra is symbolic of the subjective manner in which many c-suites treat risk.

My response to such views is usually to politely hedge a little by suggesting it is possible to mitigate a large percentage of most business’ risk! However, and here comes the hedging part, the resources a company may have to dedicate – reallocate to a (risk) mitigation initiative, and the resulting restrictions, subjective as they may be, would likely be embedded with some untenable impracticalities.

Regardless of how subjective risk mitigation may be, at least how I see it being practiced. Few organization decision makers would knowingly assume risk mitigation practices that would…

  • impede operation effectiveness and efficiency or disturb the flow and integration of IA’s,
    • particularly intellectual, structural, relationship, and competitivity capital.

Any company doing so would rapidly find its viability, profitability, and sustainability substantially undermined, if not ‘go to zero’, unless of course, those assets were transferrable.

Through my lens, there are a significant, but actually unknown percentage of companies in which their tolerance – appetite for risk…

  • varies over time and is often circumstance – transaction specific, i.e., influenced by…
    • the products – services a company produces, delivers, and its target customers.
    • the perceptions – beliefs held by c-suites and boards regarding business risk climate.
    • a prior adverse experience or shared anecdote from another company.
    • the manner and locations in which a company interacts with – engages its primary markets, i.e., customers, supply chains, and myriad stakeholders.

According to Dr. Marc Siegel, a globally respected organizational resilience specialist, there are ways to measure and assess a company’s tolerance – appetite for risk. Most, Siegel says are dependent on their

1. Experience, e.g., the confidence level held by company management teams’ acquired largely through their familiarity with current and over-the-horizon risks, coupled with their (perceived) capabilities to effectively manage (prevent and/or sufficiently mitigate) such risks.

 2. Resiliency – e.g., if or when a significant (business) risk materializes, are there policies and practices in place to (a.) mitigate – minimize the criticality produced by the risk, and (b.) rapidly return the company to a state of operational and financial – revenue normalcy in a reasonable time frame before risk resiliency is irreversible. Achieving such a desired level of risk resiliency includes minimizing the fragility and vulnerability of company’s – business unit’s intangible assets, particularly intellectual, structural, relationship, and competitive capital for the duration of the risk event.

A related question I routinely pose to management teams, focuses on how they (presumably) achieved consensus to accept or tolerate particular levels of risk relative to a specific transaction, new venture, strategic alliance, etc.?  The answer is frequently some variation to the proverbial…

‘risk is an inherent feature of doing business and all successful business persons are inherently risk takers’.

I approach business risk a little differently in terms of understanding why and how I may respectfully influence management teams, boards, and c-suites, already inclined to have a greater appetite for – tolerance of certain (business) risks and not others. I find it’s frequently due to…

  • types and levels of risk are subjectively measured – assessed to be low, in terms of vulnerability and probability, but extraordinarily high in criticality,
    • making the cost of mitigation, i.e., risk transfer, etc., exceed potential (prospective) benefits, thus self-insurance or elevated tolerance for risk appear to be the prudent, near term option.
  • the asymmetric nature of business risks, i.e., their magnitude, frequency, criticality, and cascading potential, while factoring the type of product or service a company produces, is beyond the capabilities of most to consistently prevent or mitigate.
  • companies’ anticipated – projected business opportunities associated with assuming a certain level of risk, outweigh risk exposures to the point that a management team can justify – rationalize executing a particular transaction or new initiative and therefore assume a substantial portion of the risk.

(This post was inspired by the work of Dr. Marc Siegel and his work related to organizational resilience on behalf of ASIS International.)

Intangible Assets Not Renewable Resources

June 2nd, 2014. Published under Fiduciary Responsibility, Intangible asset protection, Intellectual Property Rights, Organizational resilience and business continuity/conti. No Comments.

Michael D. Moberly   June 2, 2014   ‘A long form blog where attention span really matters’.

Pat Choate, in his 2005 book titled ‘Hot Property: The Stealing of Ideas in an Age of Globalization’ (p. 218)points out that an ‘idea, by definition, exists solely in one’s mind, where it remains happily and comfortably secure, but not terribly useful’. So, in order for an idea to potentially produce commercial and/or contributory value to its holder at some point, it must be expressed. Even though Choate (2005) says ‘protecting one’s ideas represents a basic social contract between society, its government, and the individual(s) who created the idea’, the act of openly expressing ideas, with increasing frequency, serves as a starting point for asset vulnerabilities and potential challenges and disputes to emerge for the originators (holders – owners) of the ideas.

Fundamentally, products of the mind are a type of intangible asset and manifest as intellectual, structural, and relationship capital including intellectual property (IP) and some other forms of proprietary information. Risks, to these intangibles materialize with some regularity and certainty, often in the form of purposeful or inadvertent events, acts, or behaviors that can adversely affect or jeopardize (asset) ownership, control, use, and value. A significant percentage of materialized intangible asset risks are of a nature to adversely affect a company’s reputation and its competitive advantages with equal rapidity, for example…

  • stifle competitive – economic momentum of a company project, new venture, or product launch.
  • undermine a business transaction or strategic business plan.
  • erode an assets’ value as a source of potential value and projected profitability.

Business continuity – contingency planning pre-Internet era…

In the pre-Internet era, when intangible asset were barely a twinkle in economists’ eyes, misappropriation, infringement, and/or counterfeiting was characterized as being relevant almost exclusively to IP, i.e., patents, trademarks, copyrights, and trade secrets. Too, at the time, a relatively common risk mitigation strategy (to a company’s assets) was business continuity – contingency planning, not organizational resilience, and was generally designed – intended to be a mechanism to contain the risk(s) and mitigate their impact, i.e., the damages or extent of the losses as well as additional adverse impacts to company reputation, image, and goodwill, etc.

Today however, in the current knowledge based (intangible asset) era of going fast, going hard, and going global, even the most well-intentioned and wishful thinking efforts to contain the multitude of risks that can materialize is more fitting, in my view, to tangible (physical) assets than intangible (non-physical) assets.

For example, in the world of physical (tangible) assets, so-called firewalls erected between apartment buildings are designed – intended to contain or reduce, for a certain period of time, the probability that a fire in one building will spread to adjacent buildings and/or structures.

Such conventional firewalls however are less relevant or practical insofar as safeguarding or mitigating risks to knowledge-based intangible (non-physical) assets which again include intellectual, structural, and relationship capital, IP and proprietary information. In most instances, in today’s increasingly sophisticated risk laden R&D and business transaction environments, anyone of these types of intangible assets, absent effective asset monitoring and safeguards, will be at risk. Unfortunately, the sophisticated methodologies applied by the expanding number of global economic and/or competitive advantage adversaries, allow value laden intangible assets to be quickly discerned and instantaneously disseminated to a growing and often organized and sophisticated labyrinth of information brokers, business intelligence operations.

Don’t Overlook Intangible Asset Safeguards

Significantly, once an intangible asset has been compromised or succumbed to the growing array of sophisticated and asymmetric risks and threats, a company mitigation practice based primarily on the principles of containment, in my view, is neither a realistic or viable (standalone) strategy, certainly not something which a company’s management team, c-suite, board should feel comfortable insofar as their fiduciary responsibilities are concerned, i.e., see Stone v. Ritter.

Thus, while conventional intellectual property enforcement mechanisms (i.e., patents, trademarks, copyrights, trade secrets) remain a global (WTO) requisites for conveying ownership and standing to address the inevitable disputes, challenges, risks, and threats, the deterrence features associated with each have been minimized and are routinely disregarded and circumvented by adversaries. Thus conventional IP enforcements assume a more reactive vs. proactive posture, one that requires formidable and consistent self-policing and monitoring

In today’s increasingly aggressive, predatorial, and ‘winner take all’ global R&D and business transaction environment, this leaves, in my view, conventional forms of intellectual property (enforcement) certainly less relevant, perhaps even approaching some manner of obsolescence insofar as effectively combating the ultra-sophisticated risks and threats which are now routine.

Conventional IP enforcements carry little, if any, deterrent features today…

While I am not suggesting conventional IP enforcements should not be used, the harsh reality is, the once respected rights and protections afforded to innovators and entrepreneurs for their products on the mind, through patents, trademarks, and copyrights, etc., are now being routinely outpaced, circumvented, and utterly disregarded by adversaries globally. Any entrepreneur or company who assumes the mere issuance of a patent, standing alone, will be sufficient to sustain full control, use, and ownership rights for the duration of their patent, for example, is simply no longer credible.

The notion that conventional IP enforcements will ensure indeterminate control, use, and receipt of economic/competitive advantage benefits from an individual’s or company’s hard earned and often very expensive know how, i.e., the intellectual, structural, and relationship capital is unfortunately a business risk that should not be assumed is the exclusive bastion of legal (IP) counsel.

It would not be too challenging to argue conventional intellectual property enforcements carry less benefit to a single holder or a company, aside from providing legal standing in the increasing likelihood of having to engage in litigation over disputes and challenges. It’s most prudent then for business decision makers to ensure best practice intangible asset safeguards are in place from the outset of idea materialization. This includes consistent asset monitoring and defense, not merely directed to the conventional intellectual property rights, but also to sustaining control, use, ownership, and monitoring value and risks to those assets!

Sustaining a successful launch – commercialization of a new idea…

There are many different views about what is actually required to sustain a successful launch – commercialization of a new idea or project.

Obviously, having a very commercializable product and a sufficiently capitalized business plan and marketing strategy represent three time honored ingredients necessary for most successful launches. But, an often overlooked, underestimated, and misunderstood ingredient to a successful business – idea launch is recognizing that…

80+% of the value, sources of revenue, and future wealth creation of the launch will likely evolve from intertwined combinations of (a.) intangible assets and IP,i.e., intellectual capital, and (b.) specialized proprietary know how, i.e., structural capital, and (c.) attractive and distinctive competitive advantages, and brand integrity, i.e., relationship capital. (Moberly, 2011)

So, unlike conventional forms of IP enforcements, i.e., patents, trademarks, and copyrights, no government will issue a comparable certificate that says, these are your contributory value intangible assets, proprietary know how, trade secrets, competitive advantages, and brand integrity which an individual or company should safeguard and monitor their value and risk for the duration of their respective value and functionality cycle.

The responsibility for (a.) recognizing how the intangible assets evolved, (b.) the context which they now exist and are being applied, and (c.) unraveling them (individually – collectively) to assess their contributory value and potential conversion to sources of revenue and competitive advantage lie solely with the launching companies’ decision makers, i.e., originators, holders, and/or owners of those assets.

Admittedly, today’s hyper-competitive global business (transaction) environment, is influencing more companies to recognize the necessity for more than cursory intangible asset identification, assessment, safeguards, and monitoring of value and risk is much more than a time or resource permitting responsibility. These responsibilities are now instrumental in the initial success of product launches. Business decision makers who carelessly or unwittingly hedge their intangible assets’ essential maintenance, e.g., protection and preservation, will with greater frequency, if not certainty, cause risk-threat probabilities to become inevitabilities in which complete or partial (asset) value erosion and/or dilution are likely to occur which can also inadvertently create parameters and/or boundaries to a company’s economic – competitive position capabilities and potential.

What can companies do if – when their intangible asset ‘genies get out of their bottle prematurely…

The genie for profitable and sustainable launches of a new company, product, or idea is embedded in the business decision makers’ recognition that…

Getting out of the bottle is a metaphor of course, for situations in which business decision makers overlook or underestimate the role, contribution, and/or value intangible assets make to the overall sustainability of successful business launches and equally important, the risks-threats to those assets.

The initial requisite to commencing asset recovery action is recognizing delays in (a.) discovering the materialization of asset risk, and (b.) securing experienced guidance about what action to take and when, will most certainly complicate and weaken a company’s (legal) position insofar as the possibility of achieving a favorable (possibly full) economic – competitive advantage outcome.

A responsive and thorough ‘intangible asset – competitive advantage assessment’ is a prudent first step. A specialized (asset) assessment of this nature will aid a company and its decision makers to be better positioned to deliberate on two important points:

  1. prioritize options relative to trying to (re-) establish ownership control and use of the no doubt already hemorrhaging intangibles.
  2. strategies to try to stop and/or mitigate additional economic – competitive advantage hemorrhaging (of the assets), i.e., devaluation, undermining, infringement, misappropriation, reputation risk, etc.

Bottom line; risks-threats to a company’s intangible assets, intellectual property, proprietary know how and competitive advantages and brand integrity should not be dismissed and/or characterized as merely just another risk of doing business!

Unfortunately, far too many companies lose, inadvertently relinquish, and/or become entangled in extraordinarily costly and time consuming legal disputes and challenges over the ownership, control, use, and value of their intangible assets, competitive advantages, proprietary know how, reputation, and brand integrity. One of the most frequent reasons is dismissing the real, persistent and stealthy risks-threats to those assets and their contributory value to strategic sustainability.

Business’s Tolerance For Risk To Their Intangible Assets…!

November 12th, 2012. Published under Enterprise risk management., Organizational resilience and business continuity/conti, Uncategorized. 4 Comments.

Michael D. Moberly    November 12, 2012

In my corner of the intangible asset business world, it’s quite routine to engage highly experienced, intelligent, and successful business owners and management teams who cavalierly and somewhat patronizingly, express the view that it’s impossible and far too costly to eliminate (prevent) all business risk, that is if of one wants to remain in business.

Often embedded in this perspective, is the misperception that preventing business risks equates with being overly cautious and risk averse, which some argue is tantamount to a ‘fortress mentality’ which substantially dampens any sense of receptivity to new or ‘edgy’ business endeavors.   Too, a frequent refrain is that business risks are simply too prevalent, inescapable, and asymmetric to avoid in every business dealing, absent literally building a risk prevention – adverse ‘moat’ around one’s business.

My response to such consistent expressions from management teams, c-suites, and boards is to respectfully, but objectively, introduce the notion that a business, with a substantive risk prevention-mitigation pillar is not wholly impossible, nor will it be perceived as antagonistic or incompatible to competitive and welcoming business transactions and configurations.

Some management teams, et al, quite incorrectly interpret, in my view, that the resources  necessary for creating a ‘risk moderated’ business (transaction) environment are neither practical nor feasible and, if done, would inevitably expedite business failure because it would hamper and  impede business’s engaging their strongest, most valuable, and charismatic assets, i.e., intangible assets such as intellectual, relationship, and structural capital.

I’m confident few, if any readers of this blog would agree to such a restrictive business environment.

My experience and I suspect that of many readers of this blog as well, recognize that many management team’s ‘tolerance for risk’…

  • varies considerably, even within the same sector…
  • is generally subjective, often influenced by anecdotal evidence, the products and/or services a company produces, and/or evolve from management team, c-suite, and board perceptions – assumptions about (certain) business risks fro, prior experiences, and…
  • locations of, and interactions with a company’s primary markets, i.e., countries, customers/clients, supply chains, and a host of other relevant stakeholders.

Let’s not overlook or forget the economic fact that 65+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets today, which in most instances, a business/company has developed internally (i.e., through prudent use of its intellectual, structural, and relationship capital) or acquired and integrated externally.  So, in essence, when we address the subject of a business’ tolerance for risk, in my view, we’re really talking about how tolerant a company is relative to risks to its intangible assets!

According to Dr. Marc Siegel, a globally respected specialist in organizational resilience, there are ways to measure and assess a company’s tolerance for risk which I have added to throughout this post.  But, as readers know, sometimes all too well, measuring and assessing a company’s tolerance for risk is frequently dependent on the experiences, anecdotes, and largely subjective assessments emanating through the lens of management teams, c-suites and boards, i.e., their…

  1. experience and confidence level acquired through their familiarity with and the significance they attach to known, current, and over-the-horizon risks…
  2. ability to following a risk event through effective  risk management, prevention, and/or mitigation initiatives…
  3. organizational resilienceto sustain a robust business (transaction) environment following a significant (business) risk or disruption and consistently utilize-leverage intangible assets to achieve strong growth, profitability, and sustainability trends, i.e., policies, procedures, and practices in place…

a. to mitigate-minimize the criticality posed by certain risks (reputation or otherwise) and,

b. that would allow a business to return to a state of operational and financial and revenue normalcy in a reasonable time frame      because  it  could maneuver and apply mitigation measures to an array of risks to elevate the probability that a previously agreed  upon (accepted) level of business operational continuity is sustainable should a particular risk actually materialize.

4. recognition of core/key intangible assets, e.g., minimizing intangibles’ fragility, and vulnerability to loss and/or compromise, while   stabilizing their value, competitive advantage-reputation delivery, revenue streams, and sustaining their control, use, and ownership throughout the risk event, particularly that which is embedded in intellectual, structural, and relationship capital.

Another important and relevant inquiry I routinely pose to management teams, is how they achieved consensus regarding the acceptance and/or toleration of a certain level of risk and/or operational continuity relative to specific transactions, new ventures, strategic alliances, or other business initiatives in which risks are present and/or occur?  Interestingly, their frequent answer is again, (a.) certain levels and/or types of risk are inherent features of doing business, and/or (b.) all successful business persons are inherently risk takers.

I examine responses such as to why management teams, boards, and c-suites may be inclined to tolerate certain (business) risks and not others?  I find it’s usually because the…

  • risk is frequently subjectively assessed and/or measured to be relatively low in terms of vulnerability and probability, or the
  • perceived cost of risk mitigation exceeds potential (projected) benefits, making elevated tolerance for risk appear to be the more prudent course of action…

However, experience suggests, absent experienced and expert assessments of risks/threats, management teams and c-suites will characterize certain types/categories of business risk…

  • as being low in priority to receive prevention/mitigation resources in terms of probability
  • as being low insofar as occurrence and asset vulnerability to loss, value reduction, and/or compromise, but
  • high in criticality (adverse economic, competitive advantage effects to the company) should certain risks materialize.

But, the reality is today that, many types/categories of business risks are asymmetric, i.e., their magnitude, frequency, criticality, and speed of cascading throughout a business, should they materialize is substantial.

Therefore, for many, if not most companies, projected business opportunities come already affixed with certain levels of risk.  The objective is to mitigate risk exposures to the key-core intangible assets in play to point that management teams can proceed confidently with a particular transaction or initiative while assuming a portion of the risk with confidence and objectivity it will not spillover, cascade, or adversely affect the projected economics or competitive advantages.

This post was inspired by the work of Dr. Marc Siegel and his strong expertise in the field of organizational resilience on behalf of ASIS International.

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of this post, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance. And, I always welcome your inquiry at 314-440-3593 or

Risk Tolerance: Where Does Your Company Stand?

April 25th, 2012. Published under Enterprise risk management., Organizational resilience and business continuity/conti. No Comments.

Michael D. Moberly    April 25, 2012

In my relatively small niche/corner of the intangible asset business world, it’s quite routine to engage experienced and seemingly successful management teams and risk managers who cavalierly express the view that it’s impossible to eliminate all (business) risk.  My response to such perspectives is usually to politely hedge a little by suggesting it is possible!  However, and here comes the hedging part, the resources a company would have to devote and the ultra-restrictive environment a ‘risk free’ business would necessitate, i.e., no external interactions or emanations are just two examples. I know of no company that would agree to such aggressive tactics because they could no longer be viable nor profitable and their intellectual, relationship, and structual capital (intangible assets) would be of little, or no value.

My experience also suggests most company’s ‘tolerance for risk’ (a.) varies, (b.) is largely subjective, (c.) is often influenced by industry sector and the products and/or services being produced, (d.) management team, c-suite, and board perceptions/beliefs about business risks (usually evolving from prior experiences and/or anecdotes), and (e.) locations of and interactions with a company’s primary markets, i.e., customers/clients, supply chains, and other stakeholders.

According to Dr. Marc Siegel, there are ways to measure and assess a company’s tolerance for risk which is dependent on their…

1. Experience, e.g., the confidence level held by a company’s management team achieved by their familiarity with current and over-the-horizon risks, coupled with their perceived ability to effectively manage (prevent and/or mitigate) such risks.

2. Resiliency – e.g., if or when a significant (business) risk or disruption occurs, are there policies and practices in place to (a.)mitigate/minimize the criticality posed by the risk, and (b.) rapidly return the company to a state of operational and financial/revenue normalcy in a reasonable time frame, in other words,  its resiliency. Achieving company resiliency also includes minimizing the vulnerability, fragility and/or loss of  intangible assets, particularly competitive advantages, for the duration of the risk event.

One question I often pose to management teams focuses on how they presumably achieved concensus to accept or tolerate a certain level of risk relative to a specific transaction, new venture, strategic alliance, etc.? The answer I tend to get when I pose such a question is the proverbial ‘risk is an inherent feature of doing business and all successful business persons are inherently risk takers’. I analyze risk a little differently in terms of why management teams, boards, and c-suites may be inclined to tolerate certain (business) risks and not others. It’s usually because the…

  • level of risk is generally subjectively measured/assessed to be low in terms of vulnerability and probability, but the cost of mitigation through risk transfer, etc., may exceed potential (prospective) benefits, making self-insurance and elevated risk tolerance appear to be the prudent option.  Such circumstances often arise with risks that are assessed as having a low priority in terms of probability and vulnerability, but extraordinarily high in criticality.
  • asymmetric nature of business risks, i.e., their magnitude, frequency, criticality, and cascading potential, should they materialize, coupled with the type of products and services a company produces, is beyond the capabilities of most to consistently prevent or mitigate.
  • company’s anticipated/projected business opportunities associated with assuming a certain level of risk, outweigh risk exposures to the point that a management team can justify/rationalize proceeding with a particular transaction or initiative and therefore assume a substantial portion of the risk..

(This post was inspired by the work of Dr. Marc Siegel and his work related to organizational resilience on behalf of ASIS International.)

Intangible Assets and Organizational Resilience

March 30th, 2012. Published under Intangible asset protection, Intangible asset strategy, Organizational resilience and business continuity/conti. No Comments.

Michael D. Moberly   March 30, 2012

Some management teams consider ’organizational resilience’ to merely be a tweaked version of conventional continuity and contingency planning. Be assured, it’s not!

If anything, organizational resilience (OR) is business continuity and contingency planning on steroids.  That is, OR is more inclusive and evolves from a multifaceted ‘attitude’ of:

  • prevention
  • protection
  • preparedness
  • response
  • mitigation
  • continuity, and
  • economic – competitive advantage recovery

From an operational standpoint, OR differs markedly from conventional security and/or risk management approaches because of its focus on:

  • preparedness
  • drawing a balance between asset vulnerability, risk probability, and criticality (consequences) of certain risks, and
  • shifting away from managing risk reactively, to a highly proactive, adaptive and continually improving series of activities and responses.

Ultimately, a well-designed and executed OR plan can serve as a strategic path for moving a company from a conventional defensive and reactive posture to a proactive (forward looking, forward thinking) risk posture.  By doing so, companies become more anticipatory and ultimately resilient to a broader range of risks and adverse events, should they materialize

In my view, OR is particularly well suited to the ‘systems approach’ which compels management teams to identify and examine risks in independent and dependent variable contexts relative to (a.) asset vulnerability, (b.) probability of occurrence, and (c,) criticality, i.e., potential for significant adverse cascading effects throughout a company and its stakeholders should they materialize.

An OR approach to risk would entail examining business risk(s) that may, for example, have a relatively low probability for occurrence, but carry inordinately high consequences (criticality) making it more challenging to return to a state of operational-financial normalcy.

Thus, OR is much more than mere defensive posturing.  It involves proactive attitudes and practices that recognize 65+% of most company’s value, sources of revenue, and building blocks for growth and sustainability evolve directly from intangible assets. Ironically, this requires management teams, c-suites, and boards to recognize that materialized risks or adverse events may, for organizationally resilient firms, present opportunities to further exploit its intangible assets, presuming other industry sector companies and/or competitors are experiencing similar risk events simultaneously.

A firm’s ability to rapidly, efficiently, and effectively adapt to change and uncertainty (risk) are being ratcheted up on company agendas as action items requiring higher priorities. In OR parlance, the vulnerability, probability, and criticality associated with potential and/or materialized risks, be they natural, intentional, or unintentional, represent a strong rationale why companies need to achieve a level of resilience that fits their respective market, industry sector, and business (transaction) environment.  More specifically, a recovery and adaptive oriented OR strategy can no longer be dismissed or relegated to merely being an ’after thought’.

An initial step toward achieving an organizationally resilient firm puts the onus on management teams and c-suites to recognize the unique elements and features (intangible assets) that are routinely embedded in company operations and functions. In other words, preserve (intangible) assets that underlie a company’s profitability, competitive advantages, and sustainability, i.e., reputation, brand, intellectual – relationship capital, goodwill, image, etc.

Intangibles though, often go un-noticed and un-protected in conventional risk management and business continuity-contingency planning.  I say this in the context that I have yet to engage a management team or board member that does not hold the view that every business or company, particularly theirs, possesses nuanced and unique features that contribute to its success.  Referring to such features as intangible assets though, seldom occurs.

Another step toward achieving an organizationally resilient company is to identify ways to measurably improve on its ability to adapt and rapidly recover from significant (business) disruptions, materialized risks, and/or significant changes in the business (value-supply chain) environment. In other words, remain financially and competitively viable for the duration of the adverse – disruptive event!

(This was inspired by the work of Gregg Goble, Howard Fields, and Richard Cocchiara of IBM’s Resilient Business and Infrastructures Solutions unit and the work of Dr. Marc Siegel, ASIS.)

Organizational Resilience and Intangible Assets

January 12th, 2012. Published under Intangible asset strategy, Organizational resilience and business continuity/conti. No Comments.

Michael D. Moberly   January 12, 2012

I suspect there are very few, if any, management teams today, including c-suites and boards that do not recognize the necessity for their company to have reasonable assurance of operational continuity should certain risks/threats materialize.  Enterprise risk management is no longer solely about (risk) prevention or mitigation rather it’s about creating organizational resilience.

Today’s business transaction environment, for both large and small companies is truly global in which each of the following are the norm:

  • business interdependencies and alliances
  • supply chains that are multifaceted, lengthier, and ‘just in time’
  • elevated vulnerability – probability of disruptions and materialization of risk that carry the capability of producing immediate, adverse, and cascading affects that ripple throughout an enterprise (internally and externally)

      …too, each is prompting management teams, as fiduciary responsibilities, to reassess the conventional business continuity – contingency plan to determine if it reflects today’s  necessary standard’s for organizational resilience?

Determining (assessing) with some degree of precision, just how resilient a company really is to the growing array of (asymmetric) business risks and threats is challenging, but absolutely necessary today.  Many of those risks, should they materialize, their adverse (potential cascading) affects can be immediate, relentless, and devastating insofar as undermining and eroding a company’s value, standing, market share, and revenue streams, etc., regardless of a company’s size, industry sector, or whether it publicly or privately held.  

The bottom line, in my view is, some materialized risks/threats cannot be fully or readily mitigated or reversed without recognizing the need to have a viable and comprehensive organizational resilience plan in place. 

One business reality that makes organizational resilience all the more critical is that growing numbers of analysts as well as consumers, clients, and suppliers:

  • possess a propensity to exhibit – express a sense of skepticism, cynicism , and are generally less-believing of company’s resiliency motivated (public) communications following the occurrence of a risk-threat event
  • can readily find satisfactory alternatives to meet their needs either in the interim or permanently due to which certain risks materialize, i.e., product recalls, production – supply chain disruptions, etc.

           …that render products temporarily unavailable or cause question about their quality.

I find the single greatest challenge to helping company’s design and execute an organizational resilience plan is achieving consensus about the criticality of certain processes, products, and assets (tangible and intangible) insofar as measurably elevating a company’s resilience, i.e., returning to a state of operational normalcy as quickly as possible, following an adverse event or act.  

A word of caution though, management teams that inadvertently overlook or do not specifically include a company’s intangible assets in their organizational resilience plan are not merely being near-sighted or neglectful of their fiduciary responsibilities, they’re actually taking their company down a much more riskier path because:

  • 65+% of most company’s value, sources of revenue, and building blocks for growth and sustainability today lie in – directly evolve from intangible assets, and
  • intangible assets are frequently more fragile, transportable, and therefore vulnerable to adverse events or acts.

(This post was inspired by Michael D. Moberly’s interpretation of ASIS Internationals’ 2009 ’Organizational Resilience’ standard.)

Intangible Asset ‘Risk of Risks’: Company Reputation

December 30th, 2011. Published under Looking Forward, Organizational resilience and business continuity/conti, Reputation risk.. No Comments.

Michael D. Moberly      December 30, 2011

Company reputation is an intangible asset of the first order and, when effectively used and safeguarded, can be a major source of competitive advantage and sustainability.   This is probably what prompted The Economist’s Intelligence Unit to produce a ‘global risk briefing’ titled Reputation: Risk of Risks arising from interviews with 269 senior risk managers. Aside from the fact that the report was produced in December, 2005, its relevance remains very much intact today.

Company reputation is certainly a prized, yet increasingly vulnerable and fragile asset in my view which the reports’ respondents agreed by stating that reputation represented a main concern for the majority of risk managers, ahead of, for example:

  • regulatory risk
  • human capital risk
  • IT network risk
  • market risk, and
  • credit risk. 

Interestingly, the priorities of senior risk managers have changed little since publication of The Economist’s report.  It’s certainly fair to say then that company reputational risk also has become a very significant (fiduciary) concern, not just for senior risk managers, but for company management teams, c-suites, and boards as well.  They recognize the many ways it can adversely affect their company.

Company reputation is defined (in the Economists’ report) as ‘how a business is perceived by stakeholders, including customers, investors, regulators, the media, and the wider public’.  Company reputation, the report goes on to state, ‘declines when experiences of an organization fall short of expectations’. 

However, before this definition can be fully translated into effective (reputation risk) countermeasures, it’s important for a company to bring operational clarity to:

  • whose experience
  • what experience, and
  • which expectations.

Safeguarding a company’s reputation is, with few exceptions, probably the most important, but also, in my view, one of the more challenging tasks and (fiduciary) responsibilities a company can and should undertake relative to its overall management, stewardship and oversight.  In large part I find it challenging because of the asymmetric nature how (reputational) risks and threats can materialize and cascade throughout a company. 

For example, The Economists’ study identified three significant phenomena that individually and/or collectively contribute to elevating reputation risk, each of which remains relevant today:

  • development of 24/7 global media and communication channels
  • increased scrutiny from regulators, and
  • reduced customer loyalty

A relevant, but not easily answered question though, about damages a company can sustain as a result of a materialized reputational risk, in terms of prevention, mitigation, or management, is whether reputation risks – threats should be characterized and addressed as:

  • standalones, or
  • the consequence of other, perhaps simultaneously converging risks? 

As already noted above, reputational risk is often (highly) asymmetric in my view.  This belief inclines me to address it not solely as a standalone or separate risk, rather a consequence (by-product or multiplier) of risks that can materialize sequentially and adversely affect a company simultaneously on multiple levels.

Respondents to the Economist’ study identified the three biggest risks/threats to a company’s reputation as:

  • failure to comply with regulatory or legal obligation
  • failure to deliver minimum standards of service and product quality to customers
  • exposure of unethical practices

This elevates the importance of how company management teams, boards, and risk managers perceive reputational risks to their company…relative to the processes, procedures, and/or programs they (may/may not) have in place as forward looking monitoring and assessments of internal and external factors/variables necessary to prevent, mitigate, and manage reputational risks if/when they begin to materialize.

For example, when conducting a comprehensive (intangible asset) assessment of a company (which includes reputational risks) and there’s evidence that a company’s plans and/or attitudes for responding to reputational risks appear more closely aligned with crisis management than contingency and organizational resilience planning, I would engage the senior risk manager for clarity.  If its revealed that the company genuinely addresses reputational risks/threats solely through a conventional ‘crisis management’ lens, its often an indicator, that the company may not be adequately monitoring – scanning their horizon and stakeholders for risks/threats which is so essential today, and is, my judgment a key underlier to quality contingency – organization resilience planning, not crisis management!

While visiting  my blog, you are respectfully encouraged to browse other topics/subjects (left column, below photograph) .  Should you find particular topics of interest or relevant to your circumstance,  I would welcome your inquiry at  314-440-3593 or