Tag Archives: risk management

It’s Oxymoron– Managing Risk and Uncertainty: An Organization Without Risk is Organization Stuck in a Rut…

Risk is a basic ingredient for innovation… Risk implies uncertainty and an inability to fully control the outcomes or consequences of an event… It’s an uncertain world and organizations must accept the fact that they operate in a world of unknowable risk… According to Donald J. Riggin; regardless of the nature of risk it’s impossible to manage; in fact, the expression ‘risk management’ is an oxymoron, because if risk was manageable it would no longer be considered risk…

However, understanding risks is a critical step to knowing how to deal it… According to Steve Tobak; the notion that– Big Risk beget Big Reward is nonsense… Whether it’s the world’s top– hedge fund traders, venture capitalists, real estate tycoons… these billionaire insiders look for opportunities that provide asymmetrical risk/reward… This is fancy way of saying that ‘reward’ is drastically disproportionate to ‘risk’…

In the article Decision-Making Under Risk and Uncertainty by Samia Rekhi writes: The starting point in decision-making is the distinction among three different states of a decision environments: certainty, risk, uncertainty. The distinction is drawn on the basis of the degree of knowledge or information possessed by the decision-maker… Certainty can be characterized as a state in which the decision-maker possesses complete and perfect knowledge regarding the impact of all of the available alternatives…

Often when making decisions the two terms ‘risk’ and ‘uncertainty’ are used synonymous… Both imply ‘lack of certainty’, but there is a difference between the two concepts; risk is characterized as a state in which decision-makers have imperfect knowledge– incomplete information but enough to assign a probability estimate to possible outcomes of a decision…

These estimates may be subjective judgments or they may be derived mathematically from a probability distribution… Uncertainty is a state in which the decision-maker does not have enough information to make a subjective probability assessments… It was Frank Knight who first drew a distinction between risk and uncertainty; risk is objective, whereas uncertainty is subjective… risk can be quantified, whereas uncertainty cannot… Uncertainty implies that probabilities of various outcomes are unknown and cannot be estimated… It’s largely because of these two characteristics that decision-making, in risk environment, involves primarily subjective judgment…

All business decision-making have common characteristics. The traditional approach requires precise information and thus often leads management to underestimate uncertainty and risk factors, which can be downright dangerous for an organization… According to Hugh G. Courtney, Jane Kirkland, and S. Patrick Viguer; making sound decisions under uncertainty requires an approach that avoids the dangerous binary view of risk…

Available relevant business decision information tends to fall into two categories… First, it’s often possible to identify clear trends, such as; market demographics… Second, it’s also possible to identify not so clear trends, such as; customer psychographics…The uncertainty or risk factors that remains tend to fall into one of four broad levels …

  • Level one: Clear enough future: The uncertainty is irrelevant and risk factors are relatively low for making decisions… hence, management can make reasonable precise decisions… Also management can use traditional information gathering, such as; market research, analyses of competitor costs and capacity, value chain analysis, Michael Porter’s five-forces framework, and so on…
  • Level two: Alternative futures: The future can be described as one of a few discrete scenarios… Although probability analysis is useful it cannot precisely identify which outcome is most likely to occur…
  • Level three: Range of futures: A range of potential futures can be identified… A limited number of key variables define the range and most likely outcome can lie anywhere within the range. There are no natural discrete scenarios for the outcome. Organizations in emerging industries or entering new geographic markets often face this uncertainty…
  • Level four: True ambiguity: A number uncertainties and risk factors create an environment that is virtually impossible to predict. And it’s impossible to identify a range of potential outcomes, let alone scenarios within a range. It might not even be possible to identify, much less predict, all the relevant variables that define the future. This situation is rare– black swan events– although they do exist.

Knowing how to assess risk is an organizational competency that must be fostered for long-term sustainability… To do so requires new language and tools to facilitate effective decision-making and decisive action. According to Ralph Jacobson; in developing business strategy it’s important to determine an organization’s ‘risk appetite’, i.e.; how much risk it’s willing, and can afford, to accept… This involves identifying and understanding the scope of risk required in a decision. Typically there are four options– avoid it, accept it, transfer it, share it…

But often decision-makers are confronted with unknowns– these are ‘unknown unknowns’… These unknowns are things that haven’t even been thought of as possible– black swan occurrence– rare but they do pop-up every now and then… situations where management tries to understand more about what they don’t know, than what you do know... These are precisely situations where innovation thrives– it’s when innovators push the edges, challenge status quo, break boundaries in the realm of uncertainty and risk taking. According to Dan Gregory and Kieran Flanagan; uncertainty suggests taking risks, going beyond the known and knowable– thinking scared, thinking stupid, thinking different…

Thinking scared is simply understanding that fear drives all decision-making– it might be the fear of taking action or fear of not taking action. These twin forces often govern negative behavior… but they can also be marshaled and used for positive motivation– the fear of missing out is perhaps most potent motivation in many organization. It’s human nature to resist change and this same nature can be used to drive innovation that embraces risk and uncertainty, and thinks beyond scared, thinks beyond stupid, thinks beyond different…

Challenge of Managing Business Risk– Basis for Sustainability: Know and Understand Uncertainty and the Risk Landscape…

Risk is defined as the probability of an unforeseen incident, and its penalty on the business… Whatever the purpose of an organization, the delivery of its objectives is surrounded by uncertainty which both poses threats to success and offers opportunity for increasing success…

You can safeguard your business and increase its success rate by having an effective risk management policy in place. By identifying the risks before they occur, you will have the time and space to prepare and to put solutions in place if needed… Risk management may seem scary when you are planning your business. But by having business risk plan in place, you can ensure that you protect the viability of your business…

risk1 th

Risk is defined as the uncertainty of outcome, and it must be assessed with respect to a combination of the likelihood of something happening, and the impact if it does actually happen. Risk management includes; identifying and assessing risks (‘inherent risks’) and then responding to them… The resources available for managing risk are finite and so the aim is to achieve an optimum response to risk, prioritized in accordance with an evaluation of the risks.

Risk is unavoidable, and every organization needs to take action to manage risk in a way which it can justify to a level which is tolerable. The amount of risk which is judged to be tolerable and justifiable is the ‘risk appetite’.  Response to a risk situation may involve one or more of the following actions:

  • TOLERATE: The business’ exposure may be tolerable without any further action. Even if it’s not tolerable, the ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained…
  • TREAT: The greater number of business risks will be addressed in this way. An action is taken to constrain the risk to an acceptable level…
  • TRANSFER: For some business risks the best response may be to transfer them to either reduce the exposure of the organization or because another organization is more capable of more effectively managing the risk, however, some risks are not (fully) transferable…
  • TERMINATE: Some risks will only be treatable, or containable to acceptable levels, by terminating the activity, and this might become more clear when the cost/benefit relationship is in jeopardy…

Effective risk management requires understanding more about what you don’t know than what you do know. In particular, it must recognize when new risks are emerging. Too often, risk assessment plot the usual ‘known knows’, leaving executives and directors under-whelmed because the process doesn’t really tell them anything they don’t already know…

World Economic Forum’s Global Risks 2013 Report is an annual survey of more than 1,000 experts from industry, government, academia and civil society who are asked to review a landscape of 50 global risks. .. The global risk respondents rated most likely to manifest over the next 10 years is ‘severe income disparity’, while the risk rated as having the highest impact if it were to manifest is ‘major systemic financial failure’.

There are also two risks appearing in the top five of both impact and likelihood; ‘chronic fiscal imbalances’ and ‘water supply crisis’…Unforeseen consequences of life science technologies’ was the biggest mover among global risks when assessing likelihood, while ‘unforeseen negative consequences of regulation’ moved the most on the impact scale when comparing the result with last year’s…

Resilience is the theme that runs through this report. It seems like an obvious one when contemplating the external nature of global business risks because they are beyond any organization’s or nation’s capacity to manage or mitigate on its own. And yet these global risks are often diminished, or even ignored, in current enterprise risk management. One reason for this is that global risks do not fit neatly into existing conceptual frameworks, and fortunately this is changing…

The report advises that building resilience against external risks is of paramount importance and alerts directors to the importance of scanning a wider risk horizon than that normally scoped in risk frameworks… When considering external risks, directors need to be cognizant of the growing awareness and understanding of the importance of emerging risks…

The 2014 annual Emerging Risks Survey (poll of more than 200 risk managers predominantly based at North American re/insurance companies) reported the top five emerging risks as follows: Financial volatility (24% of respondents). Cyber security/interconnectedness of infrastructure (14%). Liability regimes/regulatory framework (10%). Blowup in asset prices (8%). Chinese economic hard landing (6%)… It’s interesting to observe the diversity in understanding of emerging business risk definitions. For example; Lloyds: An issue perceived to be potentially significant but may not be fully understood or allowed with respect to– insurance terms and conditions, pricing, reserving or capital setting… PWC: Large-scale event, circumstances beyond direct capacity to control that impact in ways difficult to imagine today… S&P: Risks that do not currently exist…

In the article Managing Risk: Where Are You on the Curve? by Ralph Jacobson writes: The management of business risk is now forefront for senior leader’s key agenda items. Knowing how to assess risks and properly manage them is a critical organization competency that must be fostered for long-term business sustainability. To do so requires new language and tools to facilitate effective strategic thinking, decision-making, and decisive action…

Here are some thoughts to help senior leaders transition to a world characterized by significant risk, for example; the S-curve is effective for evaluating risk and determining the various kinds of action that should be taken at specific points in time. The curve suggests that growth and change happen along an almost predictable trajectory of three distinct phases… Knowing where issues falls on the curve determines most effective action.

risk thFYE0ZRV6

One of the powerful attributes of the model is that it can provide a timely way to determine when a new discontinuous change occurs and its relationship to the current state. The S-curve can be used to determine the types of organization and leadership issues that will be encountered on the journey… It’s a Collision of two worlds: The generic S-curve suggests that when a few pioneers start a new S-curve (green line) they are initially ignored by those who remain intent on achieving the historical performance metrics and objectives… The existing stakeholders (pink line) view the green line as an unnecessary drain on resources at a time when financial and people assets will be at lower levels because the organization is experiencing ‘stage-3’ decline..

risk th0SBWAF3I

Caught between these forces are those who resist change and those who under-appreciate the accomplishments of the past… senior leaders must help each side understand the need to do both; maintain the past approaches long enough to reap short-term benefits and focus on establishing the successful implementation of the new-to-achieve long-term benefits… The concept of the S-curve helps leaders frame the situation so that players depersonalize their negative energies, and help each side find value in the other. It’s in this manner that the senior leader can help balance such risks the ‘long and short-term’; current financial model and the new model…

Historically companies have viewed business risk through a functional lens (financial risk, human capital risk, supply chain risk, etc.), and by focusing on one distinct ‘silo’ you can miss the interrelatedness of risk to a company. that is, miss those connections and you may misfire when attempting to manage it… According to Robert S. Kaplan and Anette Mikes; Organizational biases inhibit the ability to discuss risk and failure. In particular, teams facing uncertain conditions often engage in ‘group think’: Once a course of action has gathered support within a group, those that are not yet on board tend to suppress their objections, however valid and fall in line… Which means that many business rather than mitigating risk, they actually incubate risk by tolerating minor failures and defects– treating early warning signals as false alarms– rather than alerts to imminent danger…

According to Gerard Joyce; managing business risk makes company’s actions more predictable, thus more successful. The ISO 31000:2009 standard outlines principles and guidelines to follow in implementing a structured process for managing business risk effectively Managing business risk in a systematic way can be an enabler,e.g.; decision-making is more informed, presumptions and assumptions are challenged, and actions taken are more likely to achieve desired outcomes. A structured process highlights the ‘Key Risk Indicators (KRIs)’ or early warning signs that need to be monitored. These enables the organization to take pre-emptive action to avert or mitigate significant outcomes…

According to Jeanne Lauf Walpole; business risk management is identification, assessment and economic control of those risks that can endanger assets and earning capacity of business… Once a complete list of risks has been established, then each risk should be assessed for its probability of occurrence, for example: Very likely to occur; Some chance to occur; Small chance to occur; Very little chance to occur… Also, it’s important to evaluate potential financial damage that can result from each risk, and respond appropriately. Business risk management decisions must be based upon preventing, as much risk as possible although complete eradication may not be realistic, and/or mitigating risks at a level that’s at least tolerable for the business…

risk thNJXROOYI

According to Peadar Duffy; risk and strategy are intertwined, and one cannot exist without the other, and they must be considered together. Such consideration needs to take place throughout the execution of strategy. Consequently, it’s vital that consideration is given to ‘risk appetite’ when business strategy is formulated– and that requires a well-conceived business strategy and superior execution, on the one hand… and very serious risks assessment and process, on the other…

According to Adi Alon, Wouter Koetzier, Steve Culp; most companies opt to reduce uncertainty by leveraging the traditional– stage-gate innovation process. Stage gates are designed to identify the best ideas by putting them through multiple reviews or gates… This concept, in principle, is extremely effective but in reality new opportunities tend to be defined very narrowly.

As a result, promising news ideas that are a little off center are often smothered. And while many of innovation initiatives that do gain approval are low risk, they offer only low returns– incremental improvements that usually do little more than maintain market share. Whereas, prudent risk-taking when managed properly is the foundation for business growth and sustainability…

Internet Security via De-Perimeterisation–Adapting to Changing Markets, Technology, Behavior: Outdated Castle-and-Moat…

Security: Most challenging aspects of enterprise security are the changing types of threats and the shifting business environments being protected, e.g.; mobility, cloud… and, other trends are altering the way we work.

security3 imagesCAHTHF9B

Business security networks appear completely unprepared to deal with threats from– new technologies of communication, risk behavior of users, interoperability with third-party systems, outsourcing… The perimeter-based traditional security approach (i.e., castle-and-moat model) hinders development of enterprise systems and creates the delusion of protection.

To overcome these threats; de-perimeterisation, a data-safety oriented paradigm, was conceived: De-perimeterisation is a term coined by the ‘Jericho Forum’ to describe the erosion of the traditional ‘secure’ perimeters or ‘network boundaries’ as mediators of trust and security. Today’s successful enterprises must be structured to be adaptable to market changes with regard to– people, process and technology. If information systems and processes that support the enterprise cannot adapt easily, in order to enable the enterprise to adapt, then the enterprise loses competitive position in the marketplace…

Although most organisations already have some form of perimeter security mechanisms (e.g. firewalls, encryption, authentication…), many have not bothered very much with the question of– what happens if and when information-data leaves the business premise on USB memory sticks, CDRs… methods frequently used by employees. However, change is beginning to occur as traditional enterprise security vendors are looking to include– additional levels of control in their offerings…

According to the ‘Jericho Forum’; de-perimeterisation is simply the concept of architecting security for extended business boundary and not an arbitrary IT boundary. De-perimeterisation, on business level, can be simply described as– the changes that stem from natural desire of organisations to interact with the world outside their organisation: It’s a concept-strategy for protecting organization’s information-data on multiple levels with a mixture of encryption, inherently secure computer protocols, inherently secure computer systems, data-level authentication… In contrast, an organization’s reliance, typically, is only on its (network) boundary-perimeter-security…

According to Mark Waghorne, KPMG; for many organisations, de-perimeterisation may not be the best security solution, given the  complexity of managing the approach… de-perimeterisation probably suits larger, more connected organisations better than smaller organisations. According to Paul Simmonds; de-perimeterisation of network security is inevitable as companies continue to form closer links with business partners– de-perimeterisation is a trend that business cannot afford to ignore…

In the article Business Security–Beyond the Firewall by Richard Anstey writes: Today’s disruptive technology is changing both how we do business and how businesses are structured. Enhanced connectivity and cloud computing, together with trends, such as; bring your own device’ (BYOD) and flexible working practices are blurring the line between internal-external business processes and calling established security strategies into question.

The protective security barrier around physical networks provided by firewalls is increasingly anachronistic as a primary defence mechanism. Whether business sanction it or not, employees are collaborating freely, and increasingly conducting their work outside the perceived ‘protection’ of the firewall, leaving corporate data more vulnerable than ever before.

Business security should no longer be dependant on re-enforcing perimeters, but rather on protecting data while enabling secure and free flow collaboration. To accomplish this, CIOs need to evaluate security strategy based on their flexibility rather than their rigidity, and enabling secure and effective communications regardless of access point. This disintegration of established protective parameters and the evolution of an open architecture are termed de-perimeterisation.

As systems become more interconnected, they offer ripe pickings for the technologically advanced attacker. Now, more than ever, business users are operating across and around organisational perimeters, and the resultant blurring of barriers has widened the opportunity for attack… Security needs to be revisited; trying to maintain one universal line of network security defence is a losing battle.

The focus should be on securing the data itself rather than the networks. A de-perimeterised security structure shifts the reliance on an outer boundary to a blend of powerful encryption, secure protocols and effective authentication. Such an approach addresses changing security needs raised by BYOD, cloud services and an increasingly mobile workforce, and employees are able to securely access the information-data that they require from the device and location of their choice.

Collaboration with partners and colleagues can also then occur in the cloud in a managed and secure way, enhancing business processes and productivity… There can be no doubt that this is a time of significant change for business. Progressive business and CIOs are recognising that traditional tried-tested security models do not suit the new connected shape of business today; however, technologies, such as; 4G… are acting as catalyst for implementing new security approaches to meet needs of a more connected workforce; as well as; enhancing  business productivity– securely.

In the article Rethinking De-Perimeterisation by Cleeff van André writes: For business, the traditional security approach is the hard-shell model: An organisation secures all its assets using a fixed security border; trusting the ‘inside’ and distrusting ‘outside’. But as technologies and business processes change, this model looses its attractiveness. In a networked world, ‘inside’ and ‘outside’ can no longer be clearly distinguished.

We don’t question the reality of de-perimeterisation; however, we believe that the analysis of the security problem, as well as, the usefulness of the proposed solutions have fallen short: The notion that there is no linear process for blurring security boundaries, in which security mechanisms are placed at lower and lower levels, until they only surround data– is debatable.

To the contrary, typically there is a cyclic process of systems connection-disconnection; and as conditions change, the basic trade-off between accountability and business opportunities is being appropriately made every time… Apart from that, data level security has inherent limitations and there is great potential for solving security problems differently–rearranging responsibilities between business and individuals…

In the article IT Security by David Lacey writes: Corporate perimeters are already leaking confidential data and letting in malware. The situation will progressively get worse. It’s not good enough to shore up traditional security defences– we must be more proactive and implement new solutions.

A survey of 100 top security practitioners was illuminating: Around 70% believed that ‘insiders’ represent the greatest risk with employees was at the top of the list. Traditional ‘hard shell’ security doesn’t address this risk. A majority of those polled also believe that their security network already has a porous perimeter. So what exactly do we need to make it work? In many views, the key enablers are– strategy and architecture. To achieve true de-perimeterisation will require state-of-the-art components assembled in state-of-the-art architecture.

We need new ambitious infrastructure, such as; a ‘modern federated identity management system’ that can work efficiently across ‘open network’ security environment. However, implementing such infrastructure is not a trivial task. It involves a complete rethinking of authentication, provisioning, management process… It demands an architecture and network topology that can deploy encryption, authentication and policy enforcement controls in the most effective positions. But most of all, it requires a big vision, an up-front investment in technology and a realistic migration plan.

The single biggest change in business security-threat landscape is the evolving transition from– a mass-produced scattergun-style spam, phishing and defacement campaigns to highly customised and sophisticated attacks… The biggest challenge is the increase in mobile devices being used in work environment and breakdown between their owners (i.e., workers) and corporate IT…

According to Anthony Caruana; there are two things that are a big concern; the erosion of the effectiveness of ‘two-factor’ authentication and the rising popularity of social engineering among a class of attackers who previously haven’t presented much of a threat…

According to some experts; authentication is a growing issue, and if viable solutions are not forthcoming, then it may necessitate less desirable alternatives, such as; move to single-use transaction devices, for example; a tablet computer issued by a bank that can only connect to the bank and nowhere else... However, according to most experts; security done well– can best be described as security built into the very DNA of an organization: Every business process, every job function, every requirements specification must have information-data security built-in as a key consideration.

Security becomes part of the culture of an organization… there needs to be a pragmatic approach, which is negotiated with workers; where benefits for workers and business are highlighted… For example, consideration, such as: Can you hook your own iPad up to the company network? Yes. Do you get to make all your own decisions on configuring the iPad? No. Can you install all apps? No. Can you get rid of the passcode because it’s irritating? No… In return, of course, the workers personal stuff on the device will be safer, too… It’s a win-win for business and workers..

The Jericho Forum’s commandments for information security are: The scope and level of protection must be specific and appropriate to the asset at risk. Security must enable business agility and be cost-effective. Boundary firewalls may continue to provide basic network protection, but individual systems and data will need to be able to protect themselves. Security mechanisms must be pervasive, simple, scalable and easy to manage.

Security systems designed for one environment may not be transferable to work in another. Thus it’s important to understand the limitations of any security system. Devices and applications must communicate using open, secure protocols. Security through obscurity is a flawed assumption – secure protocols demand open peer review to provide robust assessment and wide acceptance and use. The security requirements of confidentiality, integrity and availability should be assessed and built into protocols as appropriate, not added on…

The trouble with most companies is that they grow from a security system that works to a system that no longer fits the changing requirements. Proper change controls and regular reviews are necessary for improving enterprise security and mitigating potential business internet-communication risks…

Companies Too Big to Fail or Too Big to Exist: Dilemma– Morton Fork, Hobson Choice, Darwin Rule…

Once you lose your freedom to fail, you also lose your freedom to succeed and you cease to be a free society. ~Jeb Hensarling

Too big to fail (TBTF) is a phrase used in regulatory economics and public policy and describes certain enterprises and institutions that are so large and so interconnected that their failure will be disastrous to the economy. Therefore, the federal government has a responsibility to support them when they face difficulty, so goes the logic.

Proponents of the theory believe that the importance of some institutions means they should become recipients of favorable financial and economic policies from governments or central banks. Some economists, such as, Nobel Laureate Paul Krugman hold that economy of scale in banks and in other businesses are worth preserving, so long as, they are well-regulated in proportion to their economic clout; therefore, the too big to fail status can be acceptable.

In addition, the global economic system must also deal with sovereign states (countries) that are too big to fail. Critics see the policy as flawed and large banks or other institutions should be left to fail, if their risk management is not effective. Critics, such as, Alan Greenspan, believe that such large organizations should be deliberately broken up: If they’re too big to fail, they’re too big.

In the article Too Big to Fail by Kimberly Amadeo writes:  The phrase too big to fail arose during the financial crisis to describe why the government needed to bailout some companies. Big banks, insurers…  improved their profitability by creating, then selling, complicated derivatives…

When economy was booming, they derived an unfair competitive advantage, took over smaller firms, and became even bigger. When their investments started going south, they knew the taxpayers would be forced to bail them out– or risk global economic collapse. An example is AIG, one of the world’s largest insurers. AIG was too big to fail because, if they went bankrupt it could trigger the bankruptcy of many other financial institutions…

Lehman Brothers, investment bank, was also too big to fail but the government refused bailout and it filed for bankruptcy, triggering a deep-drop in the stock market… The mortgage giants, Fannie Mae and Freddie Mac, were also too big to fail because they guaranteed 90% of all home mortgages.

The government guaranteed $100 million in their mortgages, in effect, returning them to government ownership. If Fannie and Freddie had gone bankrupt the housing market decline would have been much worse, since banks were not lending without their guarantees...

Enter the Dodd-Frank Wall Street Reform Act, which is the most comprehensive financial reform since the Glass-Steagall Act. It sought to regulate the financial markets and make another economic crisis less likely. It set-up the ‘Financial Stability Oversight Council’ to prevent any more banks from becoming too big to fail. How? It looks out for risks that affect the entire financial industry. It also oversees non-bank financial firms like hedge funds.

If any of these companies get too big, it can recommend they be regulated by the Federal Reserve, which can ask it to increase its reserve requirement. The Volcker Rule, another part of Dodd-Frank, also helps end too big to fail. It limits the amount of risk large banks can take. It prohibits them from trading in stocks, commodities or derivatives for their own profit, however, they can do so only on behalf of customers, or to offset business risk.

In the article “Big Banks: Now Even Too Bigger to Fail” by David J. Lynch writes:  Two years after the Obama administration vowed to eliminate the danger to the economy from financial institutions that are too big to fail; those same institutions, the nation’s largest banks are bigger than they were before the financial meltdown. Five banks: JP Morgan Chase, Bank of America, Citigroup, Wells Fargo, and Goldman Sachs– held more than $8.5 trillion in assets at the end of 2011, equal to 56% of the U.S. economy, according to the Federal Reserve, and that’s up from 43% five years earlier.

These banks, today, are about twice as large as they were a decade ago relative to the economy, meaning trouble at a major bank would leave the government with the same Hobson’s choice it faced earlier: let a big bank collapse and perhaps wreck the entire economy or inflame public ire with a costly bailout. ‘Many believe that nothing has changed, that too big to fail is fully intact, says Gary Stern. Giant institutions sheltered under an invisible government umbrella pose ‘a clear and present danger to the U.S. economy’.

This isn’t what the president had in mind two years ago when he vowed to prevent the further consolidation of the banking industry. The sprawling Dodd-Frank financial regulation bill that he signed in July 2010 was designed to avoid a repeat of the government’s frantic rescue of failing banks. Yet credit-rating companies Standard & Poor’s and Moody’s aren’t convinced that the too big to fail threat has been vanquished.

According to Richard Spillenkothen, former Fed’s director. ‘Probably the only way you can be 100% sure you’ve solved too big to fail,’ he says, ‘is by doing away with banks that are too big.’

In the articleToo Big to Fail – Too Big to Govern – Too Big to Manage.” by John W Rodat writes: The recent news that JP Morgan Chase had incurred a $2 billion trading loss reminds us again of the risks, to the rest of us, of organizations that are not only too big to fail, but too big and complex to be effectively managed.

Professor Simon Johnson, economist, puts it in simple terms:  The lessons from JP Morgan’s losses are simple. Such banks have become too large and complex for management to control. The breakdown in governance is profound. Conventional regulation will not protect either the economy or society because regulators have even less information and what information they do have is even more delayed than in the organizations they presume to regulate. 

The only effective solution is to reduce the size and perhaps the complexity of organizations that are so interlinked with the economy and society that the economy and society cannot afford to let them fail. According to Johnson; while information processing capabilities have grown to an extraordinary degree over recent decades, they have still not kept up with the growth in the size and complexity of large financial institutions. When too big to manage meets too big to fail; disaster – or another bailout – is inevitable.

In the article If It’s Too Big to Fail – Is It Too Big to Exist?” by Eric Dash writes: Nearly a century ago, the jurist Louis Brandeis railed against what he called the ‘curse of bigness’. He warned that banks, railroads and steel companies had grown so huge that they were lordingit over the nation’s economic and political life. ‘Size, we are told, is not a crime,’ Brandeis wrote. ‘But size may, at least, become noxious by reason of the means through which it is attained, or the uses to which it is put.’ Brandeis worried that the corporate giants of his day would imperil democracy through concentrated economic power.

His essays, published in 1914 under the title, ‘Other People’s Money and How the Bankers Use It’, helped drum up support for the creation of the Federal Reserve System, antitrust laws, and trust busting.  Devotees of economic Darwinism insist that corporate size, and its accompanying economies of scale, brings progress and benefit to consumers.

But how big is too big to fail? And how would you measure it anyway? In the case of big organizations, policy makers argue that interconnection of modern finance, as much as the size of the players, is the real issue. Frederic S. Mishkin, former Fed director, said; ‘there could be no turning back on too big to fail. You can’t put that genie in the bottle again. We are going to have to deal with it’.

In the article Too Big to Fail or Too Big to Change by Chad Johnson, Bernstein Litowitz Berger & Grossmann LLP write:  Pundits have criticized the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) as capitulating to the interests of big finance; citing the characterizations of SEC settlements as mere slaps on the wrist and the DOJ’s failure to convict a single executive responsible for creating the great recession despite significant evidence of misconduct. 

While the SEC has reached several settlements in connection with misconduct related to the financial meltdown, those settlements have been characterized as cheap, hollow, bloodless, and merely cosmetic, as noted by John C. Coffee, law professor. The relative lack of prosecutions stemming from this financial meltdown stands in sharp contrast to the government’s response to past corporate malfeasance.

The criminal cases arising from the ‘Savings and Loan’ scandals of the 1980s and 1990s, where some of the biggest kingpins– including Charles Keating of ‘Lincoln Savings & Loan’ and roughly 3,800 other bankers– were thrown behind bars, as well as, the Enron and WorldCom accounting debacles in the early 2000s where Jeffrey Skilling, Kenneth Lay and Bernard Ebbers were jailed, demonstrated that executives would be held accountable for their crimes.

As David Einhorn, hedge fund manager, told The New York Times; ‘since there have been almost no big prosecutions, there’s very little evidence that the government has stopped bad actors from behaving badly.’ Simply put, without forcing executives to answer for their misconduct, no amount of financial reform will restore public trust in government or the markets…

Too big to fail (TBTF) has no clear guidelines and thus any large organization can claim; it’s vital to the health of the economy, because its failure would have a domino effect on suppliers. For example, large oil companies going out of business would have a terrible impact on supplies of gasoline and heating fuel…

Big pharma that produce antibiotics and vaccines… which are essential and an interruption in their supply could have catastrophic consequences, from a public health point of view… According to Michael Heberling; TBTF is problematic, because it indirectly influences how companies are managed. If there is a real, or implied, government safety-net, management might be inclined to take on more risk for greater profit… Expecting a government bailout if things go wrong creates an incentive for a company to take on risk and enjoy the associated increase in return’, said Gregory Mankiw.

According to Thomas Sowell, ‘the hybrid public-and-private nature of these activities amounts to privatizing profit and socializing risk since taxpayers get stuck with the tab when high-risk finances don’t work out.’

In other words, it is a travesty to say or imply that current crisis stems from market failure. The most troubling aspect of ever-increasing number of government bailouts is the subtle change overtaking the entire country.

The mindset of companies and individuals today is shifting away from self-responsibility. We blame everyone else for our mistakes and look to others (the taxpayer) to come to the rescue. When it comes to handouts and bailouts the government is no longer simply on the slippery slope– it’s in free-fall. Every bailout makes it harder to say no when the next TBTF request comes forward…

If you put all your eggs into one basket, you better watch that basket. ~Mark Twain

Risk Taking & Leadership: Irrational, Reckless, Irresponsible, Swim with Sharks; Or, Rules-Breaker, Shaker, Taker, Maker…

Only those who risk going too far; can possibly find out how far they can go. ~T.S. Eliot

Risk taking is a critical element of leadership and essential for a leader’s effectiveness. Risk taking can be defined as… “Undertaking a task in which there is a lack of certainty or a fear of failure.” The problem at the core of risk taking is fear; fear of failure, fear of success, fear of looking like a fool, fear of seeming ignorant, fear of seeming too aggressive…

Taking risk means confronting the fears/challenges and having the courage to move forward, or recognizing that the calculated risk is beyond the tolerance of the consequences… the difference between calculated risks and risky behavior.

According to Seth Godin; “playing it safe and not taking a risk is probably the most dangerous thing you could do in today’s rapidly changing and highly competitive business environment”. Without an element of risk, nothing would ever be accomplished.

According to Elaine Love; whether you are starting a new business or working on a new marketing plan within your current business. There is an element of risk. You can reduce the risk, but nothing ever removes all of the risk.” Reward comes in direct proportion to the risk involved. The best results come to those willing to take a chance; an important reminder for entrepreneurs, financiers, and political leaders as the global economy navigates through rough times…

In the article Leadership Requires Risk Taking by Steve Adubato writes: Leaders of all stripes say they want their people to ‘think and act outside the box’. While everyone talks about risk taking, employees who actually have to take the risks are often reluctant to do so. Why is that?

If real leadership sometimes requires the taking of smart and calculated risks, why are there so many barriers and obstacles to making this happen? Consider the following:

  • Employees aren’t really convinced that senior organizational leaders want them to take risks. They hear the rhetoric, but aren’t sure that their bosses will still stand behind them if the risk goes bad and things don’t turn out right.
  • All the horror stories about someone who took a risk and got his head handed to him. Organizational culture is shaped largely by these stories.
  • Not enough success stories of people who took risks. If people can’t readily identify others around them who have thought and acted outside the box and who were recognized for it, it can be really tough to get people to “buy in.”
  • Fear: Fear of failure. Fear of succeeding. Fear that as a risk taker you will be perceived as ‘kissing up’ to upper management.
  • Employees aren’t clear on the organization’s top priorities and strategic objectives. People need to know that the benefit derived from the risk they take will be directly connected to the goals that are most important to the organization.

In the article Swimming With The Sharks: Perspectives On Professional Risk Taking” by Julie J. McGowan writes: Risk taking is a defined component of leadership, but risk taking must be grounded, a favorable balance of benefits weighed against the potential dangers of taking the risk. Risk taking is done on a daily basis, although some embrace risk taking more than others.  

Risk taking is hard to adopt among leaders, because recognized leaders have the most to lose and aspiring leaders may be discounted as lacking in knowledge or common sense. However, most well-known leaders at some point face a challenge that requires risk taking. This becomes a measure of their greatness. This will set their leadership apart from others. In looking at the global marketplace, technological innovations, and leadership, a number of studies focused on the future have all concluded that risk taking will be an integral part of any successes.

Sharing risk is also considered a critical attribute for the new global business leader. Key to success in any undertaking is to understand that risk taking is an integral part of leadership. However, risk taking by itself without understanding the nuances of the challenge will doom any project to failure. ‘McLean and Weitzel’ propose a classification of risk as it relates to decision-making.

They suggest that the likelihood of risk taking is found in a four-quadrant grid, with ‘high reward, low risk’ the most likely to be selected and ‘low reward, high risk’ the least likely. In addition, they look at common generic fears that accompany risk taking and find the most motivating to be fear of failure, fear of embarrassment, fear of disappointing others, and fear of resentment.

Successful risk takers acknowledge their fears… Jimmy Johnson, football coach, once said,Do you want to be safe and good, or do you want to take a chance and be great?”

In the article “Risk Strategies: Are You a Rule Breaker, Shaker, Maker, or Taker?” by  John Kador writes: To determine your company’s attitude toward risk, you need to examine whether your enterprise would be considered; a rule breaker, a rule shaker, a rule maker, or a rule taker.

Each of these terms reflects a strategy or posture that people or companies take-on to define their willingness to take risks. Successful companies excel by engaging in one of four types of relationships to deliver value to their chosen customers. The key is focus on a single strategy:

  • Rule breaker: Rule breakers bust up business models. They explode in an industry by offering a new paradigm so compelling in its benefits that it simply cannot be ignored. . Rule breakers often have first and preferred access to: Customers and markets, best talent in the market, funding and venture capital, most valuable partners.
  • Rule maker: Holding a position as a rule maker is a highly desirable state because it is a token of the fact that you dominate the industry to such an extent that everyone else has little choice but to play follow-the-leader.
  • Rule taker: You don’t have to be a trailblazer to be successful. Rule takers can look at what competitors are doing, benchmark companies outside their industry, get track records of what’s worked, and then copy whatever has been successful.
  • Rule shaker: Rule shakers believe that a good way to get fruit is to take the branches of a tree and start shaking. Not every initiative will bear fruit, but some will. Rule shakers distinguish themselves from rule breakers by being content to Web-enable or otherwise juggle a larger number of non-critical business processes.

In the article How to Become a Successful Risk Taker” by Steve writes: Of all the skills in life to learn, I believe risk taking is the most important. Imagine how dull your life would be if you never took chances.  Becoming a risk taker seems to have a negative connotation, and it brings up images of danger, hazards or even loss.  But no matter how dangerous the idea of risk taking, there is an even greater danger of not taking risks. 

Risks are a key ingredient to living life to the fullest and, fortunately, the skills of becoming a successful risk taker can be learned. When you understand how fears limit you then overcoming them is easier. Gambling is an extreme form of risk taking. The key difference between a risk and a gamble is the consequences.  If the situation you’re taking would seriously set you back or even ruin you, if it didn’t work out; that’s a gamble.

A calculated risk is something that even if it doesn’t work, you’ll easily recover, and be able to function normally afterwards.  There is a fine line between the two, but if you carefully ease into risk taking, you’ll get a good instinct of where the line (tolerance) is for you. Once you learn how to become a successful risk taker, you’ll be able to take-on just about any challenge and work for the best outcome. 

Fear will still be there, but it can be managed. As Dale Carnegie once said, Take a chance! All life is a chance. The man who goes the furthest is generally the one who is willing to do and dare.”

In the blog “Why Creativity And Risk Taking Is Critical To Leadership Success by Duncan Brodie writes: Leaders are ultimately judged on the results that they deliver. Sometimes it can be easy for leaders just to tread water, especially when things seem to be going well. Yet in truth continued creativity and risk taking is critical to leadership success:

  • Leadership success is about finding new or better ways of doing things or meeting needs of customers or clients.
  • Leadership success is about finding different solutions to long-standing problems or issues that are getting in the way of results.
  • Leadership success starts with an idea or concept that needs to be developed.
  • Leaders need to be willing to dip their toes into the pool of uncertainty without fear of failure.

In these highly competitive and fast-moving times pushing the boundaries; personal, team, and organization is not an option, but a necessity. Leaders who want to achieve success understand that taking risk is an essential part of achieving results.

Leaders must discover their ‘risk tolerance’ by stepping-out of the comfort zone and engage:

  • Don’t let restricted thinking stop you.
  • Focus on the rewards.
  • Learn from mistakes.
  • Recognize that success and failure are connected.

If you want to be successful as a leader you need to be comfortable taking risks. Risk taking is a vital part of leadership. Leaders have the courage to begin; while others are waiting for better times, safer situations, or assured results. Leaders are willing to take a risk because they know that too much caution and indecision rob them of opportunity and success. They are willing to fail in order to succeed… President Harry Truman said, “Life is risky”. Leaders take risks.

“The person, who risks nothing, does nothing, has nothing, is nothing, and becomes nothing. He may avoid suffering and sorrow, but he simply cannot learn and feel and change and grow and love and live.” ~ Leo F. Buscaglia

Corporate Secrecy & Privacy & Roles of Whistleblowers, Informers, Leakers, Hackers…: The Booming Market for Secrets & Deceptions…

“Secrecy is critical to more businesses than most people might imagine. Entire industries are based to some extent on the process of creating goods and services and then putting them behind walls of secrecy.”

‘Secrecy & privacy’ is an important part of corporate culture in every industry: Is there a difference between ‘privacy’ and ‘secrecy’? According to Jeremy Fisher, ‘secrets’ can be shared, whereas ‘privacy’ is a solitary experience. Unlike privacy, secrets are used to gain power and the element of surprise. Unlike secrecy, privacy is a way of shutting out external influence. The main problem when trying to define the differences between privacy and secrecy is that they can mean different things to different people.

According to Chad Perrin, the key to maintaining secrecy is to reorient one’s perspective on security. Protect the ‘right’ things and you can maintain reasonable security. Protect the ‘wrong’ things and you are doomed before you begin. The shelf life of a secret, especially in large organizations, is increasingly minuscule, and effectively limited only by the quickness with which modern technology can be leveraged to distribute such secrets beyond the set of people authorized to access those secrets. Companies become successful, in part, by staying one step ahead of the competition.

They accomplish this by keeping sensitive information, i.e., trade secrets confidential. What is a trade secret? Many states have adopted a statute known as the ‘Uniform Trade Secrets Act’, which forms as the model for trade secrets. Simply, trade secret is any private information about a business that gives an economic advantage over the competition. Typically trade secrets include; customer lists, formulas, patterns, software, devices, methods, techniques, process, financial records, contracts, and the like; information that would be very valuable to the competition. The law protects this information, as long as reasonable steps have been taken by the company to protect it.

In the articleIs Secrecy Necessary in Business by Philip R. Diab writes:  Every organization has sensitive information that it guards carefully and protects against having competitors or non-authorized individuals from gaining access to.  This type of information can be technical documentation on the inner-workings of products, strategic plans, market research, or a variety of other types of documents.  In fact, conventional wisdom has held in the past that the organization should not reveal documents such as strategic plans to anyone but a select few so as not to jeopardize the success of these plans.

However, there are leaders in the field who advocate the exact opposite in terms of sharing such information and being a bit more transparent with employees, suppliers, customers, and even competitors.  It’s likely that there will not be agreement as to what should be shared versus what should be ‘hidden’ from others, what can be agreed is the fact that some information should be considered confidential.  Confidentiality is a part of the business culture and in every industry.  This makes good business sense; however, what should be of concern is the confusion between confidentiality and secrecy.

I’ve observed that in some organizations there are individuals who behave in an almost paranoid manner.  So rather than focus on protecting confidentiality, they go above and beyond to scaring everyone from sharing any information with anyone because they fear negative consequences. While it may seem that secrecy and confidentiality are the same concept, in my perspective they are greatly different.  Secrecy is focused on withholding information from individuals and groups.

Confidentiality on the other hand is focused on ensuring that any information that is shared with an individual or group is not given to someone who does not have authorization to see it. What is necessary is to set clear governance policy that balances the need for transparency as well as confidentiality, while avoiding secrecy…

In the article A World of Secrets: Why We Should Cherish Leakers and Hackers by Bob Simpson writes:  In a world of secrets and lies there are groups like WikiLeaks, anonymous and information leakers that supply the truth…Yes, they do break the law. It is often necessary to break the law to achieve justice. Corporations both large and small keep secrets. It’s a bizarro world of trade secrets, non-disclosure agreements, patent abuse, competitive advantage, insider trading, tax evasion, environmental and labor law evasion, conspiracies in restraint of trade, political bribery, influence peddling and even murder.

Violations of the public trust are common. Outright lawbreaking is just part of doing business. Prosecution and punishment is rare. When global corporations have wealth greater than many countries and even employ their own private armies, this should surprise no one. If it takes leakers and hackers to liberate accurate information, than so be it. The leakers and the hackers are part of a non-violent resistance movement to the government and corporate madness that is engulfing our planet…

There is a growing ‘market for secrets’; WikiLeaks’ posting of 250,000 confidential, diplomatic cables has been called traitorous, treasonous and despicable – but could it also be prophetic?  According to Stewart Brand; “information wants to be free”, at the first Hackers’ Conference back in 1984, “because the cost of getting it out is getting lower and lower all the time.”  The growth of global computer networks and the creation of massive databases have led to the collapse of the information-price bubble, which makes it easier for hackers, activists and just about anyone else to become a WikiLeaks source.

This trend has coincided with rising distrust of government and corporations. Distrust provides motivation. The result is a ‘market for secrets’ that will certainly grow much faster than anyone’s ability to control it.  While much of the outrage about WikiLeaks and its founder, Julian Assange, has centered on the legal and national security implications of the releases, the real question is whether the movement toward forced transparency can be stopped.  In an interview, Assange tells Forbes‘ Andy Greenberg that his website is receiving more confidential information than he can find time and resources to publish.

Andrew Sullivan of ‘The Daily Dish’ observes that the many governments face a difficult dilemma:  “Trying to crack down on the organization would only give it more publicity, which would allow it to attract more leaks.” As Greenberg notes, many of the top minds in the field of cyber-security (including former hackers) now work for the Defense Advanced Research Projects Agency, which created the Internet. The agency’s tactics include network forensics, the process of monitoring every ‘fingerprint’ on a server to track the actions of data trespassers. While this approach won’t seal the floodgates, it may deter the next leakers.

In the report “The Value of Corporate Secrets” by Forrester writes: Proprietary company secrets generate revenue, increase profits, and maintain competitive advantage. In addition, custodial data such as customer, medical, and payment card information has value because regulation or contracts make it toxic when spilled and costly to clean up. Secrets that have intrinsic value to the firm are always specific to the enterprise’s business context. An interested party could cause long-term competitive harm if it obtains these secrets. Keeping proprietary knowledge away from competitors is essential to maintaining market advantage.

An interesting case of theft of trade secrets is about Xiang Dong (“Mike”) Yu, a former employee of Ford Motor Company, copied around 4,000 documents belonging to the company before he left the company, without notifying anyone of his plans or giving notice, and traveling toChina. The documents have been evaluated and are said to worth between $50 and $100 million, and include designs of various Ford car components such as the engine/transmission mounting subsystem, the electrical distribution system, the generic body module, and others. Almost two years after he left, he accepted a job offer with the Chinese-based Beijing Automotive Company and shared the documents with his new employer…

As Andy Greenberg points out, financial reform has expanded whistleblower incentives to reward corporate employees who report illegalities.  It offers the conscience-stricken and vindictive alike a chance to publish documents largely unfiltered, without censors or personal repercussions, thanks to privacy and encryption technologies that make anonymity easier than ever before.  What’s a corporate CEO to do?

The choice is simple; either run an honest business or risk painful, massive leaks of information. “In the struggle between open and honest companies and dishonest and closed companies,” Greenberg says, “we’re creating a tremendous reputational tax on the unethical companies.”  Most people don’t become whistleblowers when they simply object to a management strategy. They go public when they feel they’ve been treated badly, or when they believe someone is violating the law.

For the rest of us, says Sullivan, it’s time to come to terms with a new reality:  “We live increasingly in a world without curtains or even veils… When the cost of leaking information is low… When leakers are motivated by incentives… It is clear that the business of publishing secrets is entering a boom market.”  Companies have plenty of good reasons to keep things under wraps; whether they’re trade secrets, upcoming products, or even confidential government contracts. However,  some businesses take things beyond what seems normal, going to great lengths to keep questionable information as secret, even going so far as to keep their entire company secret for years…

“The link between secrecy and deceit is so strong in the minds of some that they mistakenly take all secrecy to be deceptive” ~Sissela Bok

“Secrecy was Bernie Madoff’s hallmark. When the reporter for Barron’s pressed him for details, Madoff simply replied: It’s a proprietary strategy. I can’t go into it…”