Tomorrow Never Knows
The Magazine
Vol 1 No 1
Special Feature Retrospective of Events Life is ten per cent what happens to you and ninety per cent how you respond to it Taking risk to be successful
Recap of some of the key external events of 2012 Latest Trends in Cybercrime An assessment
Time, thoughts for our internal conscious How to prioritise your time Speed of Adoption Risk Rapid change in the consumption of technology So What's My Appetite? An alternative view on risk appetite
Operational Risk Management & Criterium Bicycle Racing Learning from cycling
Understanding Risk to Take Opportunity Risk management is more than avoiding risk Published by
theinnovationofrisk.com
FromtheEditor You read it here first.
Risk has not evolved,
instead it has regressed into a sad, pathetic beast that focuses on “why you shouldn’t” and not on “why and how you should”. Risk is not about just the past. Risk is about the past, present and future.
It is about being at the
forefront of new technologies, new ideas and new thinking.
"Life is ten per cent what happens to you and ninety per cent how you respond to it". But to truly be able to embrace the future and take a true risk / reward position, we must firstly understand our risk appetite. Mel Odedra provides a humurous and insightful view of this topic in, "So What's My Appetite?". In order to be successful in risk management, in
Did we get your attention?
turning our heads into the new world of the
We hope so, and we hope this magazine does
future, we need to confront mankinds biggest
as well.
weakness, time.
Where would a magazine be, without a "top" listing article, so we highlight some of the top events of 2012 across the globe, and it is not a
Michelle Brunacci, in "Time,
thoughts for our internal conscious" provides us with her personal experiences in handling the question of time.
list of happiness and good fortune. Eric Ho also
Sartaj Chopra, then provides us with a view of
specifically highlights the risks surrounding
the importance of managing risks through
cybercrime in his article "Latest Trends in
appropriate controls in his story on "Operational
Cybercrime". We also highlight a potential top
Risk Management & Criterium Bicycle
5 risks for 2013.
Racing".
The role of Risk Management is not just about
So, in a world of change, with a constant stream
making management understand their risks and
of events across the globe, the role of risk
consider controls and document them.
management continues to grow in importance.
In the
words of John McEnroe, “You can't be serious!”. What we are talking about is highlighting the value in managing operational risk, and through our article on "Understanding Risk to Take Opportunity", Kirsty Whyte highlights just this aspect through her discussion on her experiences in sailing and winning the Clipper Round the World Yacht Race.
This is then
reinforced by Steve Miller who discusses that
2 Tomorrow Never Knows | Volume 1 Number 1
However, we cannot only focus on the past because it is the future that we are heading towards, and Tomorrow Never Knows what is coming.
tableofcontents
Special Feature 16 - Restrospective: Events of 2012 We thought it prudent to cover what we saw as some of the top external events of 2012
In This Issue 4 | Life is ten per cent what happens to you and ninety per cent how you respond to it
21 | Latest Trends in Cybercrime
6 | Speed of Adoption Risk
26 | Top 5 Predictions for 2013
12 | Mobile thinking for risk innovation
28 | Operational Risk Management & Criterium Bicycle Racing
24 | So What's My Appetite?
Feature 8 - Understanding Risk to take opportunity Every experience we had built on the last, so as we raced around the world, the maturity of our risk analysis and insights evolved significantly, allowing us to understand risk.
13 | Time, thoughts for our internal conscious 14 | Finding operational risk data and having it work for you
Email us your top risks Email us your top risks to webmaster@theinnovationofrisk.com
aboutus publisher TheInnovationofRisk.com editor Scott North photos presentermedia.com istockphoto.com swift publisher 3
writers Michelle Brunacci Sartaj Chopra Eric Ho Steve Miller Scott North Kirsty Whyte Mel Odedra
subscriptions To subscribe, email webmaster@theinnovationofrisk.com
editorial commemts For comments please contact webmaster@theinnovationofrisk.com
A Note to Readers The views expressed in articles are the writers’ only and not TheInnovationofRisk.com. The writers considers its sources reliable and verifies as much data as possible, although reporting inaccuracies can occur; consequently, readers using this information do so at their own risk. Each article opinion contains certain risks, and it is suggested that readers consult their relevant legal and/or risk professionals. Tomorrow Never Knows is distributed with the understanding that the publisher is not rendering legal or financial advice. Although persons and companies mentioned herein are believed to be reuptable, the writers accept no responsibility whatsoever for activities undertaken after reading this magazine. No part of this magazine may be reproduced or transmitted in any form or by any means without written consent of the publisher. All messages or letters to the publisher will be treated as unconditionally assigned for publication, copyright purposes and use in any publication or brochure, and are subject to the publisher's unrestricted right to edit and comment.
Life is ten per cent what happens to you and ninety per cent how you respond to it Steve Miller When I look at successful people in life, a common theme across them is the degree of risk they took to achieve a goal. It seems trite but it is simply the risk/reward equation, you soon realise that we need uncertainty in life to enable us to innovate and improvise.
The more I learn about operational risk the more
reflection I realised how limiting that can be to
I realise that it is not just a “business” thing. It is
achieving your goals. When I look at successful
at the core of everything we do. We are nearly
people in life, a common theme across them is
always forced to consider risk even though we
the degree of risk they took to achieve a goal. It
may not be aware of it. Once you make the link
seems trite but it is simply the risk / reward
between managing risk and making good
equation. You soon realise that we need
decisions you soon realise that it is not always
uncertainty in life to enable us to innovate and
the best approach to be risk averse. Whilst that
improvise. Along with that uncertainty comes
may seem a prudent thing to do, it can be
risk, but once you can accept this you are ready
somewhat limiting in achieving your maximum
to confront and respond to it and reap the
goals and potential.
rewards.
So what have I learnt from working in
Sport throws up some great examples of this,
Operational Risk? Thinking long and hard about
especially the game of cricket. I am a casual
how to best manage and implement it across the business I have learnt that rather than avoid risk we should embrace it and control it, rather than it control us. It won’t go away so we need to
watcher and never really played the game but I enjoy analysing and comparing individual player approaches to situations. Some players when they first come in to bat set their minds to avoid any risk of getting out by not playing strokes or
respond to it. In doing this we open up the
blocking the ball; which is great if the objective
possibilities to achieve much more than we
is just not to get out. But to win the idea is to
would otherwise.
also make runs! What generally happens is that
I used to approach most things in life from an initial position of “avoid risk at all costs”, on
4 Tomorrow Never Knows | Volume 1 Number 1
they get so far behind the target that in the commentator’s terms they are faced with “throwing caution to the wind”, “rolling the dice”
or “wielding the willow”. What they are in fact
to it right from the beginning and therefore
forced to do is go from a totally risk averse
avoid having to face an even more risky
position to just plain reckless. This is analogous
position later on.
to a business where little risk is taken until no money is coming in the door, then rash decisions
So if there is something that working in
are made that have a massive amount of risk
Operational Risk has taught me; it is to accept
around them with sometimes drastic outcomes –
that risk exists and spend your time managing
I am sure you are familiar with examples of this.
the ninety per cent and you will be surprised what it can deliver!
What the batsmen, and the business, didn’t do was confront the risk, think about it and respond
Life is ten per cent what happens to you and ninety per cent how you respond to it
Speed of Adoption Risk Scott North • The rapid change in the consumption of technology is overtaking Moore’s Law
“In 1900, less than 10% of families owned a stove, or had access to electricity or phones, and the Model-T was still a full decade away”, from
• From a risk perspective this is extremely critical
The Atlantic, 'The 100-Year March of Technology in 1 Graph' by Derek Thompson.
The 100-Year March of Technology in 1 Graph Derek Thompson
You can't measure a century's progress by numbers alone. It's not just that life expectancy at birth that has grown from 49 years in 1900 to 78 today, but also the quality of our lives has been improved by law (e.g. new safety and anti-discrimination laws), by culture (e.g. women's ascent in college and the workplace) and by technology. That's why this graph below from Visual Economics, which shows the adoption rate of new technologies across the century, is one of my new favorites. http://www.theatlantic.com/technology/archive/2012/04/ the-100-year-march-of-technology-in-1-graph/255573/#
The rapid change in the consumption of technology is overtaking Moore’s Law as the most talked about rule.
Quite simply, over the
last decade there have been signifi cant advances in consumer technology and what we have seen is the increasing trends in consumption patterns surrounding these new technologies. The chart detailed in the article by Derek Thompson highlights this ever increasing change in the adoption pattern of technology over time. From a risk perspective this is extremely critical to understand. In order to explain that statement let’s go back in time and consider the introduction of electricity. Electricity, the domain of brilliant men like Thomas Edison, Nikola Tesla, and George Westinghouse, was considered an amazing technology that would revolutionise the world.
And it did.
From the early 1900s
electricity was the most innovative and life enhancing product, and it changed the way we live.
In actual fact, both electricity and the
telephone are most likely the worlds most two important electronic inventions, yet their take up rate, in terms of consumers, are the slowest in history.
6 Tomorrow Never Knows | Volume 1 Number 1
From a risk perspective in the year 1910, this
this would have been an emerging risk for
would have been the number one emerging risk
industries which in that time interacted with
for industries which in that time provided gas
customers physically in any way, shape or form.
lighting, steam power and any industry that
H o w e v e r, a s a n e m e r g i n g r i s k , t h e s e
worked in a mechanistic manner.
However, as
organisations had almost 10 years to adapt to
an emerging risk, these organisations had almost
this new technology. In the case of the internet, it
30 years to adapt, because it was not until that
almost seemed in early 2001, that with a bubble
time that at least 60% of the population had
bursting, that it was a fad and therefore was less
electricity.
of a concern.
This meant that Boards and
Management could take time to understand, analyse, assess and then implement strategic
Now, let’s come back to today, 2012. Where we
and operational responses.
The slow take up
see the emergence of technologies such as the
rate of technology at this time was due to many
iPad, Facebook, Instagram, Pinterest, and
factors but not the least being that the scientific
Twitter.
knowledge, both in the individuals developing it
perspective? Do we have 30 years to act? How
and also in those consuming it, was still as much
about 10 years? Or are we looking at a response
in development itself as the new technology.
time of 5 years? Or even less?
Now let’s jump forward in time and consider the
This is the speed of adoption risk. And if you get
most modern consumption trend in the chart, the
this risk wrong, you may not, as in the past, be
internet.
looking at a need to change your direction
The internet has achieved over 60%
spread in under 15 years.
How do these look now from a risk
Today, in the year
slightly, or even just have to consider embracing
2012 almost all of us use the internet in some
the technology, but you may be looking at outright
form, whether directly through our own devices or
bankruptcy.
indirectly through those we interact with.
But it
retailers around the world. There are other ways
wasn’t always that way, it did take some time for
to adapt, by finding that unique segment, but if
people to get a deep understanding of the
you have aspirations for growth across the globe,
benefits of this new technology. However, it still
you may need to think again.
achieved a penetration rate almost twice as fast as that of electricity. And the chart highlights a number of other technologies, such as the personal computer, the cellphone, the VCR and the microwave that all exhibit similar adoption trends.
Consider the situation for book
So, if you are an Executive or Leader who has “grown up” through the 1960s, 70s, 80s and 90s, you may want to reconsider your thinking on technology. The past is a great model for helping make future decisions, but only if you truly understand what it is telling you.
Again, from a risk perspective in the year 1995,
Understanding Risk to take opportunity Kirsty Whyte
“But you are in Risk, aren’t you too risk averse to do something so dangerous”? What these people don’t understand is that risk management is more than avoiding risk, it’s about understanding the risk environment and managing your risk in order to pursue opportunities.
8 Tomorrow Never Knows | Volume 1 Number 1
Every experience we built on from the last, so as we raced around the world, the maturity of our risk analysis and insights evolved significantly, allowing us to better understand risk.
Understanding risk to take opportunity I circumnavigated and won the 2009/2010 Clipper Round the World Yacht Race with my team mates on board “Spirit of Australia”. It was a 10 month adventure with Mother Nature constantly testing our skills as sailors and our resilience as people. We felt her full fury in relentless hurricane force winds and 20 metre waves in the North Pacific and also felt helpless when she took all the wind away from us in
We were about 2 weeks into leg 4 from
pirate prone waters around Indonesia. We were
Singapore to China and in last place due to a
also blessed with champagne sailing and the
tactical error. Crew moral was awful as we had
beauty of dolphins, whales and magical sunsets.
always been in the lead. The weather had turned
I am an operational risk professional and have
nasty once we passed Taiwan and we received a
been repeatedly asked “But you are in Risk,
new weather report – it was going to get worse
aren’t you too risk averse to do something so
for the next 24 hours – hurricane force winds and
dangerous”?
large sharp seas. We decided this might be our
What these people don’t understand is that risk management is more than avoiding risk, it’s about understanding the risk environment and
opportunity to get back to the front of the fleet so we did a risk analysis of how we could use the weather to our advantage. Firstly, we analysed
managing your risk in order to pursue
our competitors – through experience we knew
opportunities. I thought that being presented with
how our competitors would respond to these
an opportunity to circumnavigate the world and
conditions – they would hoist their storm sails
undertake the challenge of a lifetime was too
and go into survival mode for the night and
good to pass up! I knew I just had to manage the
reassess their sail plan at sunrise. We assessed
risk as best I could through training, wearing my
our crew, our boat and condition of the sails.
lifejacket, clipping on in bad weather and having the right insurance in case something did go wrong! Let me step you through an example of analysing risk in order to determine our strategy and take an opportunity during the race.
10 Tomorrow Never Knows | Volume 1 Number 1
The only way to get back in the lead was to go faster than the other boats and that meant our strategy had to be to keep our bigger sails up as long as possible. We were taking a risk as we could damage sails, equipment and/or crew. However we implemented our heavy weather controls to manage the risks we were about to face: •we had our storm sails prepared; •the crew was fully briefed and emergency procedures refreshed;
Finland’ as they anticipated our response and matched it.
Eventually we passed ‘Team
•only the best helms were allowed to helm;
Finland’ and won the race.
•only 2 people were to be on deck at a time
Every experience we built on from the last, so as
and they must be clipped on by lifelines;
we raced around the world, the maturity of our
•the remainder of the crew would remain
risk analysis and insights evolved significantly,
down below in their foul weather gear and
allowing us to better understand risk, make
lifejackets ready to come on deck to
informed decisions and ultimately win the race
change sails or deal with situations as
by the largest winning margin.
they arose; and •everything on the boat and down below. was lashed down.
And off we went into the night. It was a horrendous night but by sunrise we had moved from last place to second place. All our competitors did as we expected and hoisted their storm sails except for our arch rival ‘Team
Mobile thinking for risk innovation Scott North Each day we need to allocate some brain time to think about "different thinking" on risk management. In this regard there has been a significant rise in the usage of smartphones and mobile devices, and this is one area that Risk Managers need to spend more time considering for innovation. The risk profession has not as yet really embraced the mobile device as an enabler or tool for improving risk management. This is actually quite bizarre given that risk management is about managing risks and implementing controls to manage those risks. Therefore, it goes to reason that the function would be working on apps and uses for the device to help business better manage their risks. So, the question is, what are some of the "mobile thinking" ideas that utilise this growing platform so that the business can more efficiently and effectively manage their risks? Risk management needs to move beyond the impractical tradition tools that really are not user friendly or designed with a customer focus in mind, instead they need to move to a customer focus. This needs to include considering the tools and the locations of the customers, and the delivery methods that can best suit the consumer base. So as Risk Managers you need to pose this question. What can we do to take the management of risks to the innovative level, particularly on mobile?
12 Tomorrow Never Knows | Volume 1 Number 1
Time, thoughts for our internal consciousMichelle Brunacci A first step is to acknowledge the fact that it’s not about ‘not enough time’. It’s about establishing appropriate priorities. I know that I work closely with technology every
His points are valid and poignantly offer some
day but there are some things that I have
uncomfortable truths. Mostly we say we don’t
resisted and writing a blog was one of them.
have time but simply it’s more a matter of not
Ironically, so as it seems, I had the perception
giving it a high enough priority. Further, the
that I didn’t have enough time to embrace it, until
concept of magically finding time is at best
now.
unhelpful and more often likely to cause further
Feeling that I have been quite time poor recently,
internal stress.
I’ve begun to think more deeply about what we
So, to put it simply and clearly, I am intending
do every day and common themes and beliefs
this to be a focus for me moving forward. A first
that we project with regards to managing our
step is to acknowledge the fact that it’s not
time, either consciously or unconsciously.
about ‘not enough time’. It’s about establishing
Thinking we all have very busy schedules and
appropriate priorities. It is still ok to have
not enough time to devote to what we need to
something on the bottom of the list, after all
do, let alone what we actually want to do, is one
there are only so many hours in a working week.
of them. Reflect on your thoughts for the past
What is not ok though, is not to acknowledge
week. How many times did you say to yourself
that I made a deliberate decision to put it there
that “I don’t have time to do that”. I know I did,
and as such I should be comfortable with that.
and quite a few times too. I thought it would be good to share with you the following article on time management by Charles P. Bosmajian, Jr., Ph.D. who is a psychologist at the National Center for Telehealth & Technology (USA). http://www.afterdeployment.org/blogs/expert/themyth-of-not-enough-time
Finding operational risk data and having it work for you Scott North One of the most
it comes to finding risk
important roles of a
and event data.
risk professional is to
criteria for assessment
be on the front foot
was based on the
with information.
The
following attributes being
expectations of the
frequency (real time
organisation, and most
alerts rated higher than
likely your CEO, is that
delayed), alerting (tools
as the Risk Executive
that provide you the
you have an ear to the
alerts rather than having
ground and an eye on the horizon.
Our
to go to a website), rules (tools that provide the ability to write rules on the content) and cost (tools
Quite simply, unless you are superman, covering
that are more inexpensive).
such a broad area with one mind is going to be a massive challenge for anyone. So, how do you confront that challenge, because confronting your CEO with why you cannot be on top of everything operational is most likely a career
Google Alerts We found Google Alerts were great when the search terms you use are very clear and specific
limiting move.
but it did become quite unmanageable to have sometimes up to 20 email alerts every day,
So, how are we confronting the challenge?
essentially clagging up your inbox. The RSS Over the last few years we have investigated a
approach was a little better for reducing email
number of options, some are still a work in
clogging, but unless you are reading your RSS
progress, but we thought that perhaps if we
feeds continually you miss quite a bit. The other
share our current experiences, maybe the
issue was is it searches every single site on the
community of risk professionals could
internet, which for some searches, such as
collaborate to improve these techniques.
We
natural disasters, will find every search with
have always said that unless you are a mind
disaster in it. For those that use social media
reader, then the only way to truly advance is
such as Twitter and Facebook you can
through sharing and growing together.
understand the unnecessary data received due to the wide search criteria.
So here are our current “tools of the trade” when 14 Tomorrow Never Knows | Volume 1 Number 1
Yahoo! Pipes
Push Notifications
Yahoo! Pipes takes searching the internet to a
Apple Push notifications is clearly an Apple only
new level. Primarily due to the fact that you can
service. This service essentially takes any RSS
bring in multiple specific sources that you select.
feed (Feed43.com, for example, allows you to
This therefore eliminates those sources that are
create an RSS feed from any webpage) and then
just not relevant to your topic. The rules engine
sends it to an App on your iPhone or iPad in
within Yahoo Pipes is extensive and to be
near-real time.
honest, sometimes a little mind boggling. You have to spend some time getting your head
Therefore, you can use the power of Google
around the engine itself. It is a visual editor but
Alerts and Yahoo! Pipes and feed them into this
underneath it, it has logic that needs to be
service which sends an alert to your iPhone. It
understood to really utilise the tool. For an
doesn’t clog up your email and the App has the
example, check out our Natural Disaster pipe
ability built in to remove alerts in bulk. The author
(link).
of the App does detail that certain RSS feeds do not allow instant alerting and therefore the
Once you have nutted out the logic piece, which
website may limit or block their service. Therefore
we leveraged from a member of the risk
in the case of these RSS feeds, they are read at
community, you can really get some high quality
certain points during the day by the App.
alerts. Unfortunately we have found a few issues with this service. Firstly, changes to feeds or
Unlike the other two services, the App has a one
feeds that have many entries can bring the Pipe
off cost of approximately $5, but that is minor
undone (see the warnings on the pipe example
compared to the fact it removes alerts from your
above). Also, we just couldn’t get the Yahoo
email, doesn’t require you to have an RSS reader
alerting function to work, And finally, when we
open and sends the alerts automatically to your
connected Yahoo Pipes outputs to an RSS feed
iPhone, just like an SMS. The App even allows
to then generate a near real-time alert or an RSS
you to turn off the alerting for a period (i.e. when
feed output, through Feedburner for example, the
you are sleeping), which is fantastic.
pipe would just not run. We always had to manually run the pipe.
Money Laundering "$250 billion of dirty money to Iran over a decade."
Anonymous Hackers "After the arrests, Interpol s website was attacked, as was that of the Spanish police.."
End Print Edition
Some of this information is courtesy of Risk Management : Year in Review 2012
"To stay relevant in a world where paper is increasingly going the way of the dinosaur."
Insider Trading "Finance professionals who failed to take their responsibilities seriously risked criminal conviction."
Avian Flu Fears
"After an avian u outbreak hit the largest egg-producing region of Mexico and oďŹƒcials responded by killing some 20 million hens."
Restrospective: Events of 2012
2012 has experienced it's share of significant operational risk events and with the Mayan's predicting the end of the world we felt it was the right time to reflect on the events of 2012. Learning from our failures is just as important as learning from our success. 16 Tomorrow Never Knows | Volume 1 Number 1
Restrospective: Events of 2012 Having an ability to be adaptive and quickly responding to the change in consumer sentiment. Recent examples we have seen in this are Apple and the iPhone 4, the failures of Mother for Coca Cola, and the adaption of the fast food industry to incorporate healthier alternatives. Don't be left holding the unsellable, continually, review, adapt and evolve!
What better time than at the end of 2012 to review some of the significant operational risk events in the media in 2012 as details.
Interpol Arrests 25 Anonymous Hackers February 29 As part of its operation “Exposure,” Interpol arrested 25 suspected members of the hacking group Anonymous—four in Spain and 21 in South America—for their role in denial-of-service attacks and publishing the private information of high-profile figures. After the arrests, Interpol’s website was attacked, as was that of the Spanish police.
JPMorgan Suffers MultiBillion-Dollar Trading Loss May 14 Ina Drew, JPMorgan Chase’s Chief Investment Officer, resigned following the revelation that a series of complex trades within the credit market
caused immediate losses of at least $2 billion. The derivative positions, which were made out of the firm’s London investment office that Drew headed, would eventually cost the bank $5.8 billion (and perhaps up to $9 billion) and become the subject of multiple congressional investigations for impropriety. Company CEO Jamie Dimon, who came through the 2008 banking crisis with a reputation as being Wall Street’s best risk management executive, characterized the trading strategy as “flawed, complex, poorly reviewed, poorly executed and poorly monitored.”
Breach Exposes Nearly Seven Million LinkedIn Passwords June 6 In a data breach that seemed to confirm the privacy concerns many have about social media, some 6.5 million passwords of the
Restrospective: Events of 2012 professional networking site LinkedIn were
Hollywood apocalypse movie, nearly 10% of
posted to a Russian hacker site. In other
the world’s population lost power, as a
breaches this year, dating website eHarmony
blackout enveloped India and knocked out
had 1.5 million of its users’ passwords
the lights for close to 700 million people. The
compromised, Wyndham Hotels allowed
largest blackout in history spanned 2,000
600,000 members’ credit card numbers to be
miles of the world’s second most-populous
stolen, Yahoo had 400,000 passwords taken,
nation and showed that infrastructure
and credit card processor Global Payments
development remains India’s main challenge
had 1.5 million consumer records exposed.
to becoming a larger economic power.
Mexico Slaughters 20 Million Birds over Avian Flu Fears June 19 After an avian flu outbreak hit the largest egg-producing region of Mexico and officials responded by killing some 20 million hens over a six-week period, an egg shortage and price spike hit the country, which, according to national figures, eats more huevos per capita than any other nation. At 430 eggs per year, the average Mexican eats nearly twice as many as their American peers.
670 Million Indians Lose Power in World’s Worst Blackout July 31 In what could be the opening scene of a 18 Tomorrow Never Knows | Volume 1 Number 1
UK Bank Pays $340 Million for Iran Money Laundering August 14 Facing claims from the New York Department of Financial Services that it laundered $250 billion of dirty money to Iran over a decade, British bank Standard Charter agreed to a $340 million settlement but maintained that “99.9%” of the 600,000 transactions in question were conducted with legitimate Iranian companies. Charter agreed to a $340 million settlement but maintained that “99.9%” of the 600,000 transactions in question were conducted with legitimate Iranian companies.
Newsweek Announces Plans to End Print Edition October 18 In a move to stay relevant in a world where paper is increasingly going the
banking, data privacy is becoming more important than ever before. The majority of Australians have personal information stored online with a range of organisations and companies – information we’d rather the whole world didn’t have access to. A discussion paper released by Australian
way of the dinosaur, the 80-year-old
federal Attorney-General Nicola Roxon on
Newsweek announced its plans to stop
Wednesday could be a step forward in the
printing a physical copy at the end of 2012.
fight to keep private data, well, private.
This strategic shift punctuated a year in which, for the first time, the percentage of money spent on online advertising (22%) finally caught up to the amount of time
On Thursday Australia Post shut down its electronic parcel tracking service after a computer malfunction exposed the personal details of thousands of customers who were
people devote to this media realm (26%), a
sent parcels. Mandatory data-breach
ratio that now mimics those of radio (15% to
reporting would have required Australia Post
11%) and television (43% to 42%). Print now
to tell customers of the breach immediately,
remains the one medium where spending
rather than having the message delivered
(25% of ad dollars) far outpaces the amount
through the media the following day.
of their time that consumers devote to it (7%).
Two sentenced on insider trading
‘You’ve been hacked’: why databreach reporting should be mandatory October 19 In an age of Facebook, eBay and online
December 6 A former JPMorgan banker and her friend, also a banker, were given suspended sentences for insider trading. The case, which centred on JPMorgan's role in advising on US private equity behemoth Blackstone's acquisition of Valad Property Group, also
Restrospective: Events of 2012 raised questions about the adequacy of the ''Chinese Walls'' policies in investment
Social Media Risks and Rewards
banks. ASIC deputy chairman Belinda Gibson said finance professionals who failed to take their responsibilities seriously risked criminal conviction.
Mayan Calendar Ends December 21 With the Mayan calendar stopping abruptly, some people have interpreted this as a Mayan prediction of the end of the World. Outcome: Unknown. Good luck.
Moore's Law describes the rapid growth of transitors on integrated circuits (doubling almost every two years). Social media can be likened to this law, with a rapid expansion in the tools and the usage in the last two years. This exponential growth provides the organisation with an interesting perspective on risk compared to reward for social media. There are 5 key risk versus reward propositions that must be considered in social media. 1. Individual freedom. The power of the single v o i c e h a s b e c o m e s i g n i fi c a n t l y m o r e pronounced, providing both positive and negative risks and rewards. 2. News spreads virally. In the past information took some time to become public, now it is almost instant;. 3. Environment for interaction. Social media provides the platform for interaction, the risk versus reward question is whether you participate or not (as people will be talking about you even if you do not). 4. Fraud. Social media is almost anonomous, therefore providing value in the ability to "speak" without fear of reprisal. However, it does allow people to not be who they say they are, therefore providing opportunities for fraudsters to obtain customer information. 5. Information mismanagement. Social media provides a signifi cant more amount of information than would otherwise be available. This increases risks involved in making decisions based on misinformation or information which is not appropriately managed. Social media can therefore be a friend and a foe, manage the risks and rewards wisely.
20 Tomorrow Never Knows | Volume 1 Number 1
Latest Trends in Cybercrime Eric Ho
Cybercriminals tend to use not so sophisticated method for hacking, almost like carrying out a cost/beneďŹ t analysis ‒ use the minimum eort to get the maximum return.
This article focuses on helping businesses to be considerate to others and look after not just their own interests but customers and stakeholder interests as well.
Latest Trends in Cybercrime Recently I attended a monthly meeting with the
Columbia police department, obtained and
Information Systems Audit and Control
published a member listing of the Columbia
Association (ISACA). The topic was “LATEST
Special Squad. The compromise was of the
TRENDS IN CYBERCRIME”. The speaker was
special police force who are undercover to
from the Australia Federal Police (APF) High
"combat" the drug cartels. The disclosure of their
Tech Crime Operation and Investigations unit. In
identity can lead to serious repercussions to their
this session, the presenter took the audience
lives and to their families as well!
through a number of cases and incidents which provided us with an insight into the type of work the AFP are tasked to undertake each day and how it impact all of our lives. This presentation was confronting and certainly made me think twice about human behaviour.
And finally, the amount of “bad” data that can be obtained by the cyber criminal. An example was presented where the AFP arrested a hacker who obtained and tried to sell an organisation’s credit card details, they found 6 terabytes of data on his hard drive! This particular criminal was someone who had “inside” information about the
The presentation detailed the key trends in
organisation and who used that to compromise
cybercrime presenting the following four key
the organisations security systems and
themes.
protocols.
Firstly, the proliferation of tools to enable hacking
Whilst at this session the group also made four
available. Nowadays, the tools to enable hacking
critical and important observations.
are widely available on the internet. Firstly, the cybercriminals tend to use “not so Secondly, the increasing “badness” in people
sophisticated” methods for hacking, but they are
involved in cybercrime due to the amount of
quite particular about taking a cost/benefit
money now accessible in digital form. There is
approach to their crimes, that is they wish to use
an increasing criminal element in those
minimal effort to get maximum return!
performing cybercrime as opposed to the historical hackers who only hacked into organisations to expose its system loopholes (aka Wargames, the movie). Thirdly, the naïve nature or total lack of
Secondly, due to the proliferation of hacking tools, the skills of these hackers have actually gone backwards over time. Finding the tools is now just a Google search away! Thirdly, the audience were surprised at the
consideration to other people's wellbeing,
amount of “bad” data from one individual (6TB of
displayed by cybercrime. The AFP showed an
data).
example where a hacker who hacked into the
common these days.
22 Tomorrow Never Knows | Volume 1 Number 1
To the AFP this seemed to be quite
And finally, organisations were very cooperative when contacted by AFP regarding possible criminal activities in their organisations. On a personal note, one of my key take aways from this session was the naivety and clear disregard for human life of the hackers who published the member listing of the Columbia S p e c i a l S q u a d . I t r e fl e c t s t h e l a c k o f consideration to others (wellbeing, safety, feelings), which seems to be a trademark of human society nowadays. It certainly reminds me of my role as a parent to my kids to also focus on helping them to be considerate to others and look after not just their own interests but others interests as well.
Source: http://net-security.org/secworld.php?id=13526
So What's My Appetite? Mel Odedra As you can see risk appetite is just as applicable to me as an individual as it is to any organisation.
As I sit here pondering what to write about with the
The first comes with its own pit falls. Say I don’t find
words “write a risk related ar5cle like this – it’ll be
an interes=ng topic or the reader thinks “my gosh –
great” echoing in my head along with the lines …”I
what a buffoon?” Or worse s=ll “what the heck is
really need to get this done and this needs to be
this and what has it got to do with Opera=onal Risk?”
delivered by yesterday”…I wonder if I can be
Will my cover be blown? Not to men=on the hours of
bothered? Is it in my risk appe=te to do this?
wasted procras=na=on on actually trying to find a
Well what are my op=ons? Write an ar=cle or blog – spend hours trying to think of a topic that someone may find interes=ng or (more hopefully) lead to interpre=ng me as being an unusually interes=ng and intelligent fellow – OR -‐ Simply say “Sorry – don't have =me?”
topic suitable of puNng pen to paper or finger to keyboard as is the case. Think of the =me I could have spent actually delivering something else (who knows what the ‘else’ actually is but think of how great that something else could have been!). The second op=on comes with its own hazards. Say I don’t submit the required ar=cle and everyone else does – then what? Will someone black mark me? Is this a career limi= ng move? Will my non-‐ conforma=on result in no bonus? And what about the ‘peripherals’? The mischief / rebel in me says ‘NO -‐ don’t do it…easier to be forgiven than seek permission…pretend to ignore them (hee hee)’ whereas the "slightly worried about feeding my children and paying my mortgage" side of me says “Do it…otherwise you’ll end up in a world of
24 Tomorrow Never Knows | Volume 1 Number 1
regret (deep sigh)”. Can I afford not to do it? The strategy I decide to use is simple – do that which is
answered when one considers their personal risk appe=te and they are the same ques=ons that we must consider when considering an organisa=ons risk appe=te.
A) easiest and simplest (write an ar=cle with the topic being ‘nothing’), B) gives the desired results (ar=cle wriYen and submiYed) C) and sits easily with me (the rebel in me sa=sfied with the nature or content of the ar= cle…heheh…whereas the mortgage
Risk appe=te is not a precise science, but rather a mix ture of qualita= ve statements and quan=ta=ve statements. The qualita=ve measures provide a way of considering those situa=ons and decisions with guidance around key principles whilst the quanita=ve provide us with tangible numbers.
paying, do=ng father is sa=sfied that he has
Take as we have discussed the wri=ng of an
met his obliga=on of providing an ar=cle and
ar=cle for a magazine. The qualita=ve were all
hopefully securing another round of
around how I feel, what it means to me as an
groceries).
individual and why would I do it. Whilst the
I suppose the Opera=onal Risk Prac==oner in me is sa=sfied too. The above all fits within, as well as helps to define my risk appe=te on a personal level as well as a business level. But how does one define
q u a n = t a = v e c o n s i d e r e d t h e fi n a n c i a l consequences of ac=on and / or inac=on. As you can see risk appe=te is just as applicable to me as an individual as it is to any organisa=on.
their risk appe=te? What factors does one consider
Now talking of appe=tes…what shall I have for
in making any decision, whether personal or work
lunch? A salad or something greasy? A Salad
related? What are the measures of success or
would be within my approved health appe=te…
failure?
but something ‘greasy’ would be (excuse the
These are all ques=ons that need to be asked and
pun) expansionary…but that’s a whole other story.
Top 5 Predictions for 2013 Digital 2010 was the year of the smartphone and was the birth of the tablet. In 2011 the tablet quickly developed into a teenager. In 2013 digital technology will contine to see the most rapid growth in history for any product and with this rapid growth and change comes additional risk. There are contradictory risks of being too slow or too fast, and lacking customer functionality or being too complex. It will be a balancing act for many businesses in 2013.
Global Economic Uncertainty Over the past few years we have experienced ongoing global uncertainty which has created a level of fear in the economy and also made consumers more financially focused. This in turn creates a level of job uncertainty which can result in emotional and financial pressures on staff. All of this leads to pressure from a financial perspective for organisations and for individuals. The key to mitigating this risk is providing certainty for your customers on your products and for your employees.
Consumer Sentiment Shifts Consumers continue to act very quickly, and ruthlessly shift from liking your product to disliking your product. Consumer sentiment has seen the death of many brands, as the consumer switches to alternative products. The key to mitigating this risk is having an ability to be adaptive and quickly responding to the change in consumer sentiment.
26 Tomorrow Never Knows | Volume 1 Number 1
Regulatory Change Another year and again where would a top 10 be without this old but secure favourite. The global ďŹ nancial crisis has empowered governments all around the world to step into industries with regulations to ensure future viability. And essentially consumers demand their governments protect the economy in the event of corporate failures. Therefore, organisations need to manage this risk with the same vigour and attention as they have in the past, as government oversight will only increase in the next few years.
Data Security and Privacy This risk is emphasised through the consumer focus on speed and efficiency, which does not always lead to simple data security and privacy controls. Â Organisations need to consider the full gambit of the consumer experience and the quest to appease the customer, with the need to protect their data and also ensure a secure physical and nonphysical environment. Â The traditional controls around risk management need to be reconsidered to providing more automated and monitoring controls than ever before.
Bonus Prediction : Social Network 2.0 The rapidly expanding worlds of Twitter and Facebook showed the world the success of social media. 2013 will see a number of new players and even new ways of social interaction using technology. Watch out for augmented social reality apps in 2013! Social Media Risk Information now moves around the planet at astonishing rates. A disgruntled customer can immediately "tweet" their dislike and hundreds, if not thousands can read that comment. Organisations can ignore this risk at their peril. The best mitigant to this risk is active participation and monitoring. Social Media Data The upside to social media, particularly due to the speed and quantum of data discussed on the medium, is the early warning signs that can be gathered through analysing the data contained within social media. Creating searches and then quantifying "hits" can provide invaluable information in highlighting emerging risks.
Operational Risk Management & Criterium Bicycle Racing Sartaj Chopra The balancing process is not something that can be just laid down and then left alone. It is a continual revisit and reassessment. There will be many errors and mistakes along the way, but these will only make the organisation stronger if the right focus is placed on each of these areas.
I often get asked this question: ‘How come you work in risk management and yet you compete in an inherently risky sport such as criterium racing?’ Now before I begin to answer this question, it’s probably a good idea to clarify for everyone what is criterium racing (or a ‘crit’ as it
to be. This made me recently think critically about my own risk appetite and the subconscious thinking / strategies I undertook and still utilize every time I race. Through this I realized a few things.
is most commonly known). A crit is a fast and
Goal: Just like how each businesses has goals
furious bike race on closed street circuits with
and processes that underpin them, I also have
very high intensity that lasts about an hour.
my individual targets and processes in place to
When racing these crits, the room for error is
get me to the finish line. The difference here is
minimal and you rely upon others to do the right
that whilst the businesses mostly define success
thing especially as you are quite often cornering
as increased shareholder return and sustained
3, 4 or even 5 abreast. The average speed of a
growth; my targets were finishing in the top 10%
crit is 40kph+ with a lot of what the lycra men
percentile and having buckets loads of fun with
call ‘surges’ (read attacks).
generous dollops of adrenalin running through
So let’s get back to the question above. I can
my veins!
see where people are coming from. For many of
Inherent Risk: Just as businesses have to
us, risk management automatically gives a
identify, assess and monitor risks associated
notion of taking minimal risk, being conservative
with their business activity, I have to do the same
on all things, being safe and, if I can be daring
for racing. My risks were of crashing my bike,
enough to say,
unexciting. Given this, when I
injuring myself and others, time commitment
tell them about crits, the high intensity racing
against competing priorities, cost blow outs and so
with heart rates well into the red zone, constant
on and so forth.
attacks and the danger of crashing, I can very often see in their eyes feelings that are quite different to how they perceive risk management
Residual Risk: Just like a business this is where I was surprised to see the amount of precaution I have undertaken to ensure that the inherent risk
28 Tomorrow Never Knows | Volume 1 Number 1
(which is quite high for me) is reduced to an
Bicycle
‘acceptable’ level. Some of the strategies I use
•
are:
race.
Clothing & accessories •
Visually inspecting my bicycle before each
•
points.
Having a helmet and wearing it properly to ensure it does not come off during a
Testing my brakes and all the contact
•
Ensuring the tyres are only pumped to a certain level which is taking into account
crash.
the condition of the road (dry vs. wet). •
Visually inspecting my helmet before each race.
•
Wearing a reflective ankle band so that I
•
in a working condition. •
am easily seen. •
‘carpet burn’. •
been avoided. Awareness & Training •
Always paying full attention to the pre-race safety briefing by Club officials.
Wearing a heart rate monitor to ensure I am not going way above my threshold
Regularly servicing my bicycle to ensure there are no mechanicals that could have
Wearing gloves so as to avoid soft skin being ripped through what bikers call
Ensuring the bicycle has a rear light and is
•
and therefore being unstable on the bike.
Reading in my own time on how to race safely and smartly.
•
Racing under controlled and closely monitored circumstances i.e. marshals race with the bunch to ensure all participants are racing safe.
Other Apart from all the above mentioned preventative controls, there are also a few key detective / corrective controls that I rely upon just as much so as to reduce the inherent risk to an acceptable level.
Operational Risk Management & Criterium Bicycle Racing These being: •
conservative and unexciting. Operational risk
Obtaining racing license which covers me
management is in fact a practice that can be
for personal liability, injury etc.
applied to almost anything, safe or sexy. It is for me a cornerstone to ensure sustainable
•
Ambulance stand-by at all races.
•
Having comprehensive cycle and personal health insurance.
Thinking through all of the above controls, I feel now that whilst the inherent risk is quite high, I have the right controls in operation and as long as I monitor them regularly, in terms of their design and effectiveness, the risk is reduced to a level that is acceptable for me. Having said all this though, there is still no guarantee that I won’t have events as you never know what the racing / business environment could throw at you. In fact, at a recent race, I had a tree branch get stuck in my rear wheel which ended up breaking a spoke. The worst that came out of this was me having to abandon the race, which was clearly, in terms of impact, the minimal that could have happened as usually an event in criterium racing involves some skin and blood! In conclusion, this example showcases not only the value / need of operational risk management, but more importantly, that it is far from being associated with a notion of being super safe,
30 Tomorrow Never Knows | Volume 1 Number 1
business / personal outcomes which are within our risk risk appetite, most, if not all the time.
Tomorrow
Never Knows The Magazine
Vol 1 No 1
The world is evolving at a rapid pace and the role of risk management is playing a crucial role in the evolution. In order to successfully navigate this rapid change the Risk Manager must also adapt through consider what the future may bring. Tomorrow Never Knows is about providing a medium for risk management to embrace the present and the future. Tomorrow Never Knows | Volume 1 Number 1
Published by
theinnovationofrisk.com