Passwords, LinkedIn and the White Rabbit

With the news this morning that your eHarmony or LinkedIn password was posted on a Russian website, people are frantically changing their passwords today. Or so one hopes.

Why all the urgency?

Should anyone be concerned that some troublemakers are going to hack your LinkedIn profile and change your Harvard MBA to one from Ohio State (oh the humanity) or change your eHarmony preferred mate preference from athletic to BBW (oh the humanity)? What you should really be worried about is that your stolen password can also be used to access your bank accounts or email. (Oh, I hadn’t thought about that!)

In truth, the posting of passwords probably doesn’t matter because according to a 2011 study of passwords, it was revealed that the most common passwords are the following:

1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon

Shocking isn’t it? (I can believe people actually use ‘monkey’ as a password. Huh.)

This article also goes on to list some suggestions for creating and maintaining a secure password:

1. Vary different types of characters in your passwords; include numbers, letters and special characters when possible.
2. Choose passwords of eight characters or more. Separate short words with spaces or underscores.
3. Don’t use the same password and username combination for multiple websites. Use an online password manager to keep track of your different accounts.

I recommend one takes security a step further and also applies the same methodology that author Charles Lutwidge Dodgson employed in selecting his pseudonym Lewis Carroll.

Select a two word password and convert the first word to Latin and then back to English. Next take the second word of your password and convert it to the Latin and then back to Irish. Switch the first and second words and you have a password. Oh ya, and add one of these thingies too: & % $ or @.

Read Full Post »

Under the Dome risk management

 

In Stephen King’s novel, Under the Dome, a small town in Maine becomes suddenly cut off from the outside world by “an invisible barrier of unknown origin”. If that sounds a bit too much like the Simpsons Movie or science fiction for you, simply replace the dome with any other sort of hazard (earthquake, avalanche, flood), force good (and bad people) to fend for themselves and watch mayhem ensue. It was an excellent book.

Without getting into the details of the plot and characters it made me think about disaster preparedness: lots of folks had generators but not enough propane to power them and one resident ran out of her OxyContin.

Like all things risk management, we know preparation is important but we rarely make time for it. In my home we have a large stockpile of food in our basement but I must confess this is has less to do with disaster preparation and more to do with excellent sales. While we probably have enough cans of corn and boxes of Quaker Harvest Crunch to feed the family for a week, I am not sure how useful those cans of Hunt’s Mamwich or Tuna Helper will be without ground beef and milk respectively.

According to the Government of Canada, in addition to canned goods and 2 litres of water per day per person, other items to have are a manual can opener (duh!), a flashlight and batteries, a wind up radio (I have a wind up radio with a flashlight!), a first aid kit, extra keys and cash.

I highly recommend the cash. As my classmate Anne Marie once said on the first day of B-school: “cash is primordial”. When I think back to August 14, 2003, when the lights went out in the northeast, I stood in the concourse of my office building and took note that the ATMs a few yards away were still running on emergency power. However I went back to my office first (elevator to 3^rd floor still running on emergency power) to get my belongings, but when I returned the cash machines were out of juice. Lesson learned.

Next week (May 6-12, 2012) is Emergency Preparedness Week so have a read and get prepared.

Read Full Post »

You don’t need to mitigate every risk: Tire edition

There’s a nail in the tire of my wife’s car. Rear driver side. Fat head pushed all the way in. It caught her eye on the weekend by accident while the car sat in the driveway. Tire pressure appears normal.

Is this a risk? Since getting a flat tire could cause her to fail to meet her objectives – driving to work – then yes it is a risk.

Did the risk just happen? Of course not. Everyone of us is at risk of getting a flat tire at all times.

If the risk did not just happen then did impact or likelihood just change? Not really. Only our perception of the likelihood of a flat tire changed or what I call the “Moment of Risk Enlightenment”. The tire may have gotten punctured days, weeks or months ago but since we now know about this nail (identify) we have to assess and treat. This is the responsible thing. Ignore is not a step in the framework.

While some people may believe they have to repair or replace the tire immediately, as risk treatments go, we choose to accept the risk and do nothing. Fortunately, this Chevy Traverse comes equipped with a risk dashboard (literally): a real-time tire pressure monitoring device. We will continue to monitor the pressure until the gauge displays a pressure value which exceeds our risk tolerance at which time we will decide on a suitable treatment.

Don’t forget that enterprise risk management is merely a tool to help you prioritize your risks. One doesn’t have to mitigate everything all the time nor should we be distracted by benign risks that just pop up at the expense of the risks where we are currently focusing our efforts and resources.

Read Full Post »

The Night’s Watch and the Wall of risk management

 

In the series A Song of Ice and Fire which begins with the book A Game of Thrones, by George RR Martin, we are introduced to the Wall and the Night’s Watch.

The Wall is an immense fortification on the northern border of the Seven Kingdoms that defends the realm from “what lies North of the wall”. It was created over 8000 years ago and measures 300 miles in length and 700 feet in height.

The protectors of the Wall are a military order clad in black known as the Night’s Watch and they are as old as the Wall itself. While kings come and go and wars are fought in the Seven Kingdoms, the Night’s Watch’s allegiance is always to the realm.

As I see it, the wildlings and Others which lie North of the wall are risks to Westeros; the wall is the risk management; and, the Night’s Watch are the risk managers.

A couple of other takeaways from this analogy:

1. The Lord Commander, the final authority over the Night’s Watch is like our modern day Chief Risk Officer. What’s interesting is that unlike in the rest of feudal Westeros where only lords and knights rise to positions of authority, the Night’s Watch is a meritocracy. Even a common man can rise as high as Lord Commander. (Read: You can make anyone with strong leadership skills the CRO. The position doesn’t have to be filled by anyone else from the C-suite and they definitely don’t have to be a professional accountant.)

2. Like the Night’s Watch who has an allegiance to the realm, modern day risk mangers should only have an allegiance to the organization and shareholders and never to the CEO, CFO or gods forbid the head of internal audit.  This approach has worked for 8000 years for Night’s Watch so it should work for your organization today.

Finally, when someone joins the Order they take a vow; this is known as “taking the black”.  As you read this, consider how today’s risk managers should also take a vow like this:

“Night gathers, and now my watch begins. It shall not end until my death. I shall take no wife, hold no lands, father no children. I shall wear no crowns and win no glory. I shall live and die at my post. I am the sword in the darkness. I am the watcher on the walls. I am the fire that burns against the cold, the light that brings the dawn, the horn that wakes the sleepers, the shield that guards the realms of men. I pledge my life and honour to the Night’s Watch, for this night and all nights to come.”

Read Full Post »

The iPhone 4S of enterprise risk management

 

Last year Apple released the iPhone 4S and critics pointed out it was pretty much the iPhone 4 with a big-s glued on. Although there were some minor improvements from the iPhone 4, overall it was pretty much the same phone.

After reading the ERM white paper “Black Swans Turn Grey” from PwC, it made me think that all the authors have done was glue a big-s to existing ERM frameworks. While they try to make it sound like they are proposing a new risk management approach, in fact this paper reads more like an indictment of the people who have implemented ERM poorly. Then again, like the iPhone 4S, perhaps this paper is not intended to for existing customers but to convert new ones instead.

Their suggestions for improving upon existing ERM include:

1. Align risks to corporate strategy
2. Develop a risk aware culture
3. Focus on risk appetite
4. Align risk and strategy

Aren’t they supposed to be doing this already?

The paper also notes: “Some are not convinced that their return on spending on Enterprise Risk Management (ERM) frameworks is fully justified by the level of protection they gain from them.” To that I say there is nothing wrong with the framework of ERM; it’s the people who are doing a terrible job implementing it.

It’s long been my view that implementing an effective ERM program is an exercise in change management. No more no less. I also believe that the vast majority of people who hold risk management leadership positions were promoted into those roles because someone mistakenly believed that a person who has some auditing experience could naturally do risk management. If that’s the case, not only would that individual probably not have change management experience but they probably don’t even know they require it. If boards are not seeing the gains they expected, blame the people doing the job and not the framework.

What’s more, the authors write that ERM has become a box-checking exercise. Well, what would you expect with all those auditors doing risk management? (Zinger.)

Finally, while I do not read any new breakthrough thinking here I still agree that the key success factor is the cultural transformation mentioned. But until organizations buy into my paradigm that to change culture one needs skilled leaders and change agents with the right set of skills, we are likely to see a lot more boards disappointed by their ERM programs.

Read Full Post »

Angry Birds risk management

I’ve been playing quite a bit of Angry Birds ever since I got my Samsung Galaxy Tab for my birthday. I love this game.

The objective of course is for birds (each with their unique strengths) to destroy the structures –  where all the pigs who have stolen the birds’ eggs –  are hiding. When a new level is presented one looks at the weaknesses of structure and the order of the birds in the queue; then one decides where and when to strike. Often you want the Yellow bird next to smash through the wood but you have the Black one or the Red one in the sling shot. And while it is not immediately obvious to the player what to do with that bird at that moment, it becomes apparent that the birds have it figured out and are lined up that way for a reason.

This is Angry Bird risk management.

Despite being on a suicide mission to destroy the evil pigs, they are not going in blindly. They are strategic. These birds are crafty. They know the reward of saving the eggs outweighs the risk to their own lives. The birds have looked at the tables.

So while there is catastrophic amounts of health and safety risk to the birds (if they miss their target they die in vane before another team of Red, Red, Yellow and Blue birds queues up and tries again), it is clear to me that the Angry Birds are practicing intelligent risk management.

Meeting our organizational objectives is not without risks; like the birds we increase the likelihood of success with careful planning, prioritization and execution in treating these risks.

(Photo courtesy of SardonicSalad.com)

Read Full Post »

Maslow, Ned Stark and the Common Good

Last week Ted Coine asked ‘what ever happened to the Common Good?’ At some point people stopped doing the right thing and started putting their individual selfish interests ahead of those of their organizations, countries or kingdoms: UBS, the nation of Greece, Queen Cersei, etc.

These days we see squabbling in Washington over the budget because no one wants to do the right thing for the country. Everyone talks to the hand about cutting costs so long as it is not in their backyard.

Just read Sen. Tom Coburn’s (R-Oklahoma) new report on wasteful government spending issued this week to learn about the $936,000 spent to stimulate online soap operas or $75,000 to promote awareness about the role Michigan plays in producing Christmas trees & poinsettia. Dr. Coburn writes: “Over the past 12 months, politicians argued, debated and lamented about how to reign in the federal government’s out of control spending. All the while, Washington was on a shopping binge, spending money we do not have on things we do not absolutely need. Instead of cutting wasteful spending, nearly $2.5 billion was added each day in 2011 to our national debt, which now exceeds $15 trillion.”

What happened to spending for the Common Good?

For those of you who believe $75,000 is not material when compared to $2.5 billion I say shame on you. It’s all those small, stupid expenses that add up. When times are tough at home we stop buying $5 lattes and eating out and shift our spending to what we need and make peanut butter sandwiches every day. (See Maslow.)

Finally, in A Game of Thrones, when Ned Stark became the Hand, King Robert wanted to hold a jousting tournament to honour the new Hand. But when Stark met with his council and learned that the kingdom was practically bankrupt Ned insisted that they don’t hold the tournament as they could not afford it. And besides, he didn’t want it.

The point I am trying to make is that anyone can spend money; but it takes a strong, responsible leader like Ned Stark to not spend it and make the tough decisions for the Common Good.

Read Full Post »

Ned Stark. Hand of the King. Chief Risk Officer.

Eddard (Ned) Stark, Lord of Winterfell, is a protagonist in the book A Game of Thrones by George R.R. Martin. He is principled and tells the truth and believes in honour and justice. Ned would make an excellent Chief Risk Officer.

When King Robert Baratheon asked him to become the Hand of the King – a chief advisor to the King who executes the king’s command and speaks in the King’s voice – it was not a job Ned was seeking. He took the job because his friend needed him and Westeros needed a man like him. In that role, Ned Stark put the Kingdom first.

A successful CRO needs to be a bit like the Hand and Ned Stark. It requires someone willing to put the organization first, who tells the truth and seeks the truth. And like the role of the Hand, the CRO needs to have the power to be taken seriously so as to accomplish the organization’s objectives.

(Spoiler alert: Do not read the rest of this post if you have not read the book.)

While investigating why his predecessor was murdered, Ned identifies the biggest risk to the Kingdom: the king’s heirs are actually the progeny of Queen Cersei and her twin brother. Like a CRO, Ned tries to do the right and honourable thing and reveal the true risk to the king so it can be properly treated. But before he does, Ned approaches Queen Cersei and warns her to get out of town. Sadly, the Queen conspires to have the king murdered instead. Then with no legitimate and lawful heirs, Ned Stark suggests that the throne has to pass to Robert’s older brother Stannis; it is the right thing, the honourable thing. The truth.

But before the incestuous truths can be revealed, the Queen moves first against Ned and places her son on the throne. Ned is later beheaded for his treason.

As a risk professional I have always conducted myself like Ned Stark. Although my honour and affinity for telling the truth have perhaps gotten me beheaded once or twice as well, like the late Lord of Winterfell, I cannot behave any other way. Nor should any leader.

People in CRO (or any risk leadership) roles need to be more like Ned Stark but sadly there are too many Cerseis who place their own personal interests before the truth and their organizations. Too often they win but lately it appear the liars and cheats are paying for their crimes.

Read Full Post »

Gladwell, crashing planes and risk management

 

In his book “Outliers”, author Malcolm Gladwell explains how “The kinds of errors that cause plane crashes are invariably errors of teamwork and communication” as opposed to mechanical causes. Also, they usually happen after a sequence of mistakes and misfortunes and rarely because of one event.

Our respective cultures dictate how we work and communicate with others. Gladwell describes how communication is very formal in many places where there is a social hierarchy between the “inferior” and “superior” person having the conversation. (Think customer and waiter, accountant and CFO, and co-pilot and pilot.)

Even though it’s a co-pilot’s role to take control of the plane when he or she thinks the pilot has made the wrong decision or is unfit to fly, in cultures where the inferior and superior roles are well defined, the co-pilot won’t do the right thing and take control of the plane. Literally and figuratively this type of behavior won’t fly.

Like pilots, CEOs have dashboards with gauges to help them navigate the organization. They also have hundreds or thousands of co-pilots and flight engineers helping to fly these organizations who each have their own dashboards. Unfortunately, if someone hears a beep or sees a flashing light, not only is there no mechanism for warning the pilot, the culture usually won’t permit it. Even in an organization with a Chief Risk Officers or head of risk management, if the culture makes it socially unacceptable to speak up or tell the CEO he’s fucked up, the organization is destined to crash and burn.

The last word goes to Gladwell who solves this cultural problem by explaining: “Planes are safer when the least experienced pilot is flying, because it means the second pilot isn’t afraid to speak up.”

 

Original post http://riskczar.com/2011/11/10/gladwell-crashing-planes-and-risk-management

Read Full Post »

Dan Gardiner, optimism and iceberg risk

Dan Gardner writes in Chapter 3 of his book Future Babble: “Overconfidence is a universal human trait closely related to an equally widespread phenomenon known as ‘optimism bias’.”

This overconfidence often leads us to assess our risks poorly. We all know about the captain of the Titanic who must have been extremely optimistic before that dreaded voyage. He probably thought: “Sure there are icebergs in the North Atlantic but I’ve never hit one in thirty years at sea. Of course I won’t hit one. Isn’t that why I was chosen to captain the greatest ship ever built? Isn’t this the reason why they honour me on this, my final voyage before my retirement?”

His overconfidence and optimism surely would have caused him to assess that Iceberg Risk before leaving on the voyage lower that it probably should have been.

Gardner also explains:

“Ask smokers about the risk of getting lung cancer from smoking and they’ll say it’s high. But their risk? Not so high. Starting a business? Most fail, but mine won’t. Getting married? Other people should have a prenuptial agreement. But not me, my love is forever.”

So don’t let your bias and overconfidence affect the way you assess your risks.

Be honest.

Read Full Post »