Beware of the Cowboy: Risk Driven by Fear...

Beware of the cowboy.  Operational Risk Management (ORM) spans the hazards on the flight deck on the USS Ronald Reagan (CVN 76) or behind enemy lines or even to employee behavior on the front lines of the private sector on Wall Street:

"The recent conviction of Michael Coscia in the Federal District Court in Chicago in the first prosecution for “spoofing” provides more clarity to high-frequency trading firms about how they can operate. The message is to tread carefully when a strategy depends on using orders that will be quickly canceled because the government may claim they are an effort to manipulate the market by fooling others into trading.

Spoofing was made illegal in the Dodd-Frank Act, which prohibits “bidding or offering with the intent to cancel the bid or offer before execution.”

Believe it when we say that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team, who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics even in the vast private sector beyond Wall Street:

• Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.
• Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.

These are just two of the many facets of occupational fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

From Leadership Lessons of the Navy SEALS

The Cowboy

"Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed."

"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation."
        --LT. CMDR. Jon Cannon

You might think that the reason is ego or just plain greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".

InTP: Quality of Design in a New Age of Terror...

Executive Management and the Board of Directors are waking up today, with a key thought on their minds.  As a result of the horrific act of terrorism in San Bernadino, CA USA this week, how effective are the "Insider Threat" Programs (InTP) that are now being tasked:

The FBI said Friday that it is investigating the San Bernardino, Calif., massacre as an act of terrorism, with officials revealing that the Pakistani woman who teamed with her husband in the slaughter went on Facebook afterward to pledge her allegiance to the leader of the Islamic State.

The husband terrorist was employed by a county government agency in California.  Just as your place of employment has a "Duty of Care" for the safety and security of it's employees, any nexus with home grown violent extremism or terrorism on a government or private sector ecosystem requires a strategic focus.

( U.S. Code Title 22 Chapter 38, Section 2656f(d) defines terrorism as: “Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.”^[18])

The Board of Directors or Under Secretary, in concert with Operational Risk Management (ORM) professionals within the enterprise have a fiduciary responsibility that now has a new spotlight.

The husband terrorist was a U.S. citizen working as an environmental health specialist in San Bernardino County.  He was a devout Sunni Muslim.  He had recently traveled to Saudi Arabia for two weeks, home of the 9/11 hijackers.  When he returned, he was growing a beard and married to a devout Sunni Muslim woman he met online.  Witnesses have stated that his new wife had substantial influence on his religious beliefs.  Was some or all of this a potential "Red Flag" by family members or co-workers?   Could she have been a clandestine agent?

The presence of an "Insider Threat" Program (InTP) is evident in hundreds of top tier Fortune 500 organizations and almost 100% of government contractors who may have "Sensitive Compartmented Information Facilities" (SCIF).  U.S. Executive Order 13587 requires that an organization have an InTP in place.

This still leaves thousands of vulnerable businesses and governments agencies at the state and local levels without the resources, expertise and policy-based programs to effectively administer a lawful and effective InTP or hybrid "Insider Threat" strategy.  It is imperative to assist in the continuous protection of physical and digital organizational assets, including the precious lives of all employees:

As a result, many organizations will be asking senior management about the initial implementation of an InTP or to review the effectiveness of a current InTP that is already in progress, at a Defense Industrial Base (DIB) contractor.  So what?

What does the current InTP in your organization, have to do with the adverse consequences that may occur?  Why could those potential consequences of an InTP that has been designed incorrectly or implemented without control metrics, create substantial risk and liability to the enterprise?  How can you address the Operational Risks associated with an "Insider Threat" Program?

Here are several key design areas, to mitigate the potential likelihood of unintended consequences of a failed InTP design:

• Staff or employees who utilize the InTP incorrectly with intent or by accident
• Top management loss of reputation by supporting an aggressive InTP Progam
• Collision course with formal EEOC Whistle blower protections and processes
• Friction with internal Human Resources relationships

These are just a few examples of the many areas that should be addressed in the initial design of a high performing InTP.  The problematic cases as a result of low quality design, are building bad PR and new employee lawsuits are gaining attention.  The aggressive actions by management may create a high rate of "False-Positives," that alienates employees, increases privacy violation claims and impacts corporate culture.

The integrity and the credibility of the InTP is paramount, if we are to continue to utilize it as an effective tool in the Operational Risk Management (ORM) strategic plan.  Managing risk on vital enterprise assets requires dedicated people, tested processes and robust systems that will not erode support.

Where are the vital process, training and systems areas that need focus or have the ability to be designed correctly from the start:

1. Relationships with Management & Employees
2. Investigation of Incidents and Reports
3. Management Behavior after an Employee Red Flag
4. Implications of the Culture of Trust

Organizational behaviors and the "Duty of Care" are in the spotlight again, as a result of the San Bernadino terrorist attack.  The quick reaction by hundreds of companies to implement InTP that have not done so already, will spawn thousands of new litigation examples that have a nexus with security and privacy in the workplace.

In essence, you need to have a specific executive management intervention, that does not over react.  You should have a independent facilitated off-site meeting to better understand what can go wrong, why it happens and what to keep an eye on.  Finally, what you can do about it.

The opportunity now is for you to strategically implement or adjust the InTP within your organization.  Why you do this and how you proceed, is vital to the enterprise risk management of the company.  How you and your employees behave from this point forward, will forever impact the culture of trust in your organization.

Our thoughts and prayers to all of the victims and the families impacted by this act of terrorism in the U.S. Homeland...