close

What Is Truth to Power?

[+/-] A research and advisory resource...
dedicated to bridging the gaps between governance and practice, technology and business, regulation and control, risk management and real market pressures, and your own knowledge and the knowledge of your peers.
[+/-] An open forum and community...
built to create a common pool of knowledge—one big brain—that lets you work more efficiently, build technology and business practices more effectively, and endure audits more effortlessly.
[+/-] A plexus nexus...
a neutral hub through which you can reach many valuable information nodes, resource collections, and organizations that are helping people like you already, but in fractured ways.
[+/-] A rebellion...
against the idea that auditors, analysts, and consultancies can control information simply through their ability to collect and distill it. T2P's goal is to unlock the vast body of knowledge, insight, and conventional wisdom that we all have, make it freely available to you, and help you digest and interpret it—without undue cost, bias, or hype.
Top Panel
WHAT IS T2P?
Top Panel
Founder's Blog

As founder of Truth to Power, Cass Brewer serves as steward, advocate, and minion of the T2P community. She has more than 15 years of experience managing technology research, including 5 years focusing on IT governance, risk management, and business process management. Prior to founding T2P, she directed the IT Compliance Institute.
Is risk management a source of risk?

I recently responded to a question about risk management failure on one of the LinkedIn groups I subscribe to. Jacek Marczyk, a risk management consultant, responded to a CNN article entitled "The risk fallacy" by asking whether risk management is itself a source of risk.

Jacek's view, reflected in his article (here), seems to be that the Big Financial ferms failed because they neglected to factor market complexities into their risk models; and, moreover, that we all need to get better at modeling complexity. Although I agree with the second point (with a tip o' the hat to the quants out there), I disagree with the first. Now that government investigations, referenced below, and a heap of anlysis have exposed many of the factors behind The Fall, it seems fairly clear that AIG, Lehman, Morgan Stanley, and Bear Sterns suppressed risk management from the top down. Not only did they not go the extra mile with their risk models, they never really left the bench.

For those of us who support the quantification and qualification of risk, this is good news: the Big Financials' risk management failures cannot be taken as indicative of the futility of risk management, managerial or operational. Their chief indication is simply bad board oversight and excecutive accountabiility at the afflicted firms.

My rationale for this statement is copied below. If you have a LinkedIn account and are interested in this issue, I hope you will also read the complete discussion and its many other informed contributions. It is, as of this posting, an active and interesting discussion in the Risk, Regulation, and Reporting Group on LinkedIn.

Finally, if you have opinions or insight into this or related risk management and assessment issues, I'd like to hear from you. Please comment on this post via the form below or write me directly at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Q: The risk fallacy: Do you agree that risk management itself is a source of risk?

A: Any kind of management performed incompetently or venally is a source of risk. However, since AIG, Lehman, and Morgan Stanley actively suppressed risk management, it's problematic to use them as any sort of lesson for companies making a good-faith effort at risk management.

AIG, Lehman, and Morgan Stanley's failures stemmed from performing bad risk management badly in three ways: 1) incomplete risk modeling, 2) inadequate access and oversight by risk management and audit functions, and 3) no managerial accountability for risky decisions.

We know that the risk models for mortgage-derivative products at Lehman, AIG, and Morgan Stanley reflected fantastic assumptions. This is partly due to the blind spots of VAR, insofar as it relies on historical data (of which there really wasn't any of relevance) and relies on third-party indicators, such as ratings (which were inaccurate). However, VAR's flaws are well known. The firms' financial modelers and managers would certainly have understood the uncertainties in their risk models. The problem was that they didn't reflect those uncertainties in their risk decisions. Moreover, they failed to track their degree of exposure to the products with the highest degrees of uncertainty.

Of course, even when uncertainty is relatively low, nobody relies solely on VAR---which brings us to the second failure. The firms' risk management and audit functions should have recognized and responded to the inadequacies of the risk models. They didn't because they couldn't. Lehman and AIGFP were risk black boxes. Morgan Stanley had no idea what its traders were doing. But it's not as if the firms passively failed to perform those audit and risk assessment functions. Their failures in that regard were reported, documented, and ignored well before the financial crisis broke. 

And that brings us to the third failure. All of the firms knew there were significant weaknesses in their risk management and assessment processes and models. Directors and executive officers had been told that there was no effective risk management in their most at-risk divisions, and they opted not to remediate. AIGFP's Cassano's comment to DeSantis about auditors "polluting" the process probably fairly encapsulates why.

In all cases, whatever the companies' marketing literature said, they were simply not managing risk. This is documented in May's [s/b October's] congressional hearing about AIG, in the GAO's review of regulators' oversight of financial firms' risk management systems [PDF], and in various other Google-able resources.

So, to address the initial question, "Do you agree that risk management itself is a source of risk?" --- the answer is yes...and no. Risk management is to some degree a recursive business function. It can fail in many ways, including the failure to diagnose its own failure. This, however, cannot be taken as an case against risk management efforts; rather, it's a warning that companies can choose to ignore risk in order to pursue market opportunities. In such cases risk management fails not because it's incompetently done, but because it fulfills its mission to fail.

There are, of course, many examples of effective risk management and modeling. Conventional mortgage risk models, of example, have served banks well. Where risk models work, they tend to differ from AIG et al's exotic and faulty models in the following ways: 1) they are based on sufficient and accurate data, 2) they reflect sound financial principles, and 3) they are subject to competent audit and managerial review. Companies looking to assess their own risk management practices should begin by scoring each of these criteria.
 
How not to attract a qualified security manager

One of the most popular news items we covered today recently is a new report on the shortage of information security pros in government. (PDF here, summary here.) I read the report, then went to the US Government jobs site to see what they had posted.

Turns out, the US Navy has lots of information security positions posted for the Seattle area, where T2P is based, and each ad has desperation written right into it:

"This notice is issued under the direct-hire authority to recruit new talent to occupations for which Department of the Navy has a severe shortage of candidates or a critical hiring need."

So, that should get things rolling.

Or not. Click the "to apply" link, and you get this:

 

 

This is, of course, a shining example of how bad security management stymies good security management.

You can ignore the SSL warnings and proceed to the Navy's jobs site. If you do,you should be disqualified from any security job there.
 
Failure is not an option: it's a style

"Failure is not an option" is one of the most perplexing business mantras. Failure—in projects, business performance, and professional obligations—might not be a choice we would willingly make, but it is always a possibility. In fact, our unwillingness to contemplate and plan for the contingency of failure can ultimately work against us by making a bad situation worse.

Consider the cascading failures caused by the recent fire in at Seattle's Fisher Plaza (photos). An electrical short in the building's switch room took out both the main and backup power feeds. It also triggered the building's sprinkler system, which promptly doused the backup generators with water. Thus, just as many US employees were (at least mentally) checking out for the 4th of July holiday, Fisher Plaza went dark and took several large data centers with it.

Many companies that relied on these data centers simply went offline. Microsoft's Bing Travel was DOA for 36 hours; Authorize.Net for more than 10 hours; AllRecipes for more than a day. The list goes on: Redfin AdHost, Geocaching.com, Popcap Games....

There's been much postmortem tsking about full-redundancy failovers and functional continuity plans. The managerial decisions that allowed Bing Travel and Authorize.net to abandon customers for so long seem especially curious. Still, while the substance of those operational failures should certainly be parsed and analyzed, the style of those failures also bears attention. The Fisher Plaza fire took out email, Web, and/or phone communications for many organizations. Not all of them handled it gracefully.

Read more...
 
Should IT governance be a board-level issue?

A comment about ISACA's new COBIT and Val IT survey on Dan Swanson's GOV_DG list got me thinking about where the buck stops with IT governance. A common strain of thought says IT should be a board-level issue. After all, IT is big money and data breaches have increasingly material potential—as the still-rising tolls from the Heartland and TJX failures illustrate. But is IT, in concept and practice, still too mechanical for board-level attention? Should it be?

The answer to the first question is certainly yes. Even the most strategic IT governance standards—ISO/IEC 8500, COBIT*, and Val IT—live squarely in the domain of How. Val IT might come closest to corporate governance in its coverage of IT investment management, which implies the evaluation of the value of business processes enabled by technology. In this sense, it's similar to GAO-04-394G: Information Technology Investment Management.

Still, even the value-oriented frameworks are insular and inward-looking. In their world view, IT investment is governed by the CIO. The bigger picture—integration of IT risk and value into business process (and process performance) risk and opportunity is still outside of the sphere.

Because of this insularity, IT itself should not and cannot be the purview of the board. The board's concern is with the performance of business: market relevance, business performance, high-level strategy, financial processes, risk posturing, etc. While IT can enable these business concerns, whether it does (or doesn't) and how are relatively atomic considerations that, from the board's perspective, should remain "under the hood."
Read more...
 
More Articles...