Analysis: Risk Management

By Jeffrey Rothfeder  |  Posted 11-01-2001

Analysis: Risk Management

 

Introduction

In the days following the Sept. 11 attack on the World Trade Center in New York City, The Bank of New York Co.'s securities settlement system, through which fully half of the trading in U.S. Treasuries moves, was in large measure silenced for nearly a week. It wasn't that the bank's backup systems, mostly redundant hardware and software, didn't work. Nor was it a matter of the systems being too close to Ground Zero. Instead, the problem was that BONY backup sites were now suddenly compelled to communicate with many of its customers' own backup technology. Dozens and dozens of new electronic relationships had to be forged. Astonishingly, the links between these computers couldn't handle anywhere near the capacity needed to carry the data load; what's more, the backup systems were rife with bugs, the legacy of neglect and ill-conceived testing.

"After the World Trade Center, we've learned that there is no limit to the unthinkable and that the unthinkable is what we actually have to protect ourselves from."


Ian I. Mitroff
Director
University of Southern California Center for Crisis Management

As with so much of the fallout from the Trade Center attack, the lesson BONY learned was an expensive one. The bank reported in October that system failures and loss of business related to the disaster shaved third-quarter earnings by fully 37 percent, or $140 million. And that figure doesn't even begin to address the hundreds of millions of dollars in lost trades for the bank's customers while the communications systems sat idle.

What makes the Bank of New York case so telling is that in smaller and less publicized versions, virtually every company affected by the events in lower Manhattan—and that includes businesses operating as far away as Silicon Valley that couldn't get the raw materials they needed to produce their products—found itself facing similar operational setbacks. Companies have spent millions on contingency plans, disaster recovery schemes and risk management techniques only to discover that in the face of a real catastrophe, they simply hadn't planned for the worst.

In one of the few detailed surveys of corporate vulnerability to major unexpected disasters, Comdisco Inc. found in 1999 that 30 percent of 200 of the largest U.S. companies had no business continuity plans in place. It hasn't changed much since then, says Gartner Inc. security analyst Roberta Witty: "Attention to rare and unlikely risks is not something that company management does well. The crisis of the day always gets priority."

Not anymore. The terrorist attacks of Sept. 11 are forcing companies large and small to rethink their risk strategies, and to develop new approaches that could transform the face of how businesses not only organize their planning, but how they are structured from top to bottom. "Corporate risk management has been based on history and probability, and on defending against a recurrence of what has already occurred," says Ian I. Mitroff, director of the University of Southern California Center for Crisis Management. "Now, after the World Trade Center, we've learned that there is no limit to the unthinkable and that the unthinkable is what we actually have to protect ourselves from."

Companies have been scrambling to re-evaluate almost every facet of how they manage risk and plan for disasters. This, in turn, is inspiring an unexpected sea of change in how the modern corporation operates. Everything is being reconsidered, from employee surveillance and trust to calculating returns on security measures, the appropriate level of network protection, inventory levels, safeguarding key brands, quickly installing new technologies and identifying the corporation's top priorities.

Supply Lines

Supply Lines

For most companies, the latter will likely involve identifying the most essential aspects of their operations—those that would compromise the organization's very survival if it were weakened by an attack of some kind—and then creating a plan specifically to protect them. The result: a more targeted strategy designed to safeguard the most critical and most potentially vulnerable operations rather than a broad-based approach incapable of concentrating on the most indispensable areas.

Consider a relationship with a trusted supplier who not only has to provide components as they're needed without interruption but who also maintains sensitive information about the purchasing company's plans and designs. The interaction between customer and supplier depends on countless network connections and data, but only some of it—the blueprints for next year's new product line and the strategy for launching it, for instance—has to be carefully guarded. Consequently, rather than a homogeneous security scheme, additional precautions, in the form of hiring people with carefully monitored backgrounds, expanded encryption technologies, limited network access, extra backup systems and secure alternate workplaces, would be taken for only the most sensitive segments of the supply chain.

"In a relatively low-threat environment, people were willing to accept certain risks across the board to try to protect everything," says James Morris, executive vice present at Veritect, the private-sector division of Veridian Corp., a security consultancy. "Now our clients around the world are worried specifically about the most important parts of their systems, saying, 'Help me understand what we're going to do if a truck bomb or bioterrorism makes it impossible to access our place of business and our computers. Where do my people go to work? How do they get information to keep operating? How can I keep manufacturing, provide customer service and get supplies? And how can I be sure that none of my competitors is taking advantage of my weakness and stealing essential data?'"

Few companies have codified their thinking on how to respond to the new risk equation, and fewer still are willing to talk publicly about their plans. Chip foundry Silterra Malaysia Sdn. Bhd is an exception. The company, which has sales and marketing offices in Sunnyvale, Calif., and is headquartered in Malaysia, is majority-owned by the Malaysian government, which hopes to gain a footing in the highly profitable electronics component business. The chipmaking industry is cutthroat—intellectual property is so vital to survival that competitive intelligence and corporate spying is endemic—but Silterra is even more at risk. Its primary competitors are other Asian nations that have worked with local businesses to develop semiconductor foundry ventures of their own, and thus are likely to go to any lengths, perhaps as far as sabotage, to defend their investments.

Keenly aware of this, last May, Silterra CEO Cyril Hannon, a semiconductor veteran who had run worldwide operations at LSI Logic Corp., hired Rick Dove, an expert in adaptive organizations and cultures, to serve as CIO and set up Silterra's security program. Dove tackled his job as if the company was in immediate jeopardy. Assuming the company will be attacked in some way perhaps not even fathomable today, Dove began to create a system designed to be less reactive than typical security programs. The company, Dove feels, is just as likely to suffer an attack from within—a disgruntled employee or a worker paid off by a rival—as from without, so his approach essentially keeps the company in a constant state of high alert.

Dove is building layers of technology that constantly morph—passwords are modified automatically, biometric identifiers are installed as new ones are developed and their parameters keep shifting, public-key encryption formulas are added and then changed minute to minute, network access is limited just to those specific areas particular employees need to reach—and even that is constantly in flux, depending on the projects they're working on. He's even planning disinformation campaigns designed to lure suspected employees into network dead ends in unauthorized areas to catch them before they do any real damage.

Moreover, only Dove will know every aspect of the security system; that way, it can't be easily compromised. Dove plans to set up what he calls a "specialty department" dedicated to safeguarding the technology—as opposed to the ad hoc collection of IT people that generally passes for a security team now—and to put each person on the team in charge of a tiny piece of the total operation. "They'll be compartmentalized enough and unaware of exactly what each other is doing so they can't compare notes about what's going on inside without it being very obvious," says Dove, the founder of Questa, N.M.-based Paradigm Shift International.

If his system sounds like a wartime intelligence and counterintelligence operation, it's because that's what companies actually need to have in this difficult environment. And although Silterra's Hannon was one of the few executives that took the potential of corporate terrorism seriously before the attack on the World Trade Center and the Pentagon, since then Dove has gotten increasing support from the company's other top managers, many of whom are now urging Dove to move more quickly and aggressively.

"What we had before was ambivalence: 'Why are we spending so much money on so little obvious return?' Now, what we have is recognition and thankfulness that something is actually being done to protect the company and its people," says Dove.

Return on investment, however, remains a touchy subject. Companies, especially in lean times, are not particularly anxious to spend money on projects that don't enhance revenue or develop new assets. Some crisis experts remain concerned that the sudden enthusiasm for protective measures is more a short-term outgrowth of fear than a permanent change in sentiment. To thwart this, Dove and other CIOs are adopting a real-options approach to measuring the ROI of a security program that actually places a value on the program and lets management decide whether to continue it based on how well it is performing, rather than judging it by a simple year-after-year depreciation model.

The technique involves creating different scenarios that could develop at various points throughout the life of the security program, and placing a potential value on each of the scenarios. For instance, a $500,000 investment in a biometrics system could have a value of $10 million if it succeeds in thwarting an attack during its first three years and saves three days of revenue. Like a call option on a share of stock, if these scenario price targets are met, the investment is shown to have real worth to the company and may continue to be funded; if not, the company may rethink its security formula. "It makes for an adaptable culture," says Dove, "that forces us to reassess because there are actually prices attached to what we did."

While the Silterra model is focused primarily on network and technology security, in the new, more suspicious business environment, its proactive, swat-team approach is already being mirrored in varying guises at many corporations. A number of companies are beginning to reassess the vaunted just-in-time inventory systems that, by ensuring that no manufacturing materials are purchased until they were absolutely needed, boosted factory productivity and efficiency so significantly in the past decade. Suddenly, the idea of minimal inventory carries a potentially large price tag of its own. Many U.S. companies lost three days or more of materials shipments following the Sept. 11 attacks, and only the dubious silver lining of a slow economy has mitigated the impact. Consequently, some U.S. manufacturers, including Xerox Corp. and Ford Motor Co., have announced plans to expand their on-hand inventory to as many as three days at some key plants so any disruption in deliveries won't affect output and financial aftershocks are limited.

Brand Matters

Brand Matters

But perhaps the most critical examples of how companies will become more vigilant about protecting their most valued assets from the unexpected is the renewed focus on the vulnerability of brands. According to security experts, many companies now fear that their success, which is really just the sum of the credibility and popularity of their products, could be hampered by stealthy terrorist attacks on items they manufacture and sell. Consider the current plight of the U.S. Postal Service: The anthrax scare, no matter what its source, has dealt yet another blow to an organization beset by high-priced labor, highly efficient competition and technology that can increasingly sidestep its primary service. Already, calls are going out to resort to e-mail in sending mission-critical business communications.

With that as an object lesson, security experts are advising companies to isolate the brands they can't afford to let be harmed by an attack. Using this knowledge, the company can then dedicate resources to ensure that the most critical manufacturing and sales activities related to these products—whether it be the purchase and delivery of materials, the safeguarding of the brand's formula or designs, quality control or shipping logistics—are backed by the most secure technology and protected at key stages by executives and workers who have been thoroughly investigated and can be trusted with such critical roles. And to make sure that this heightened state of attentiveness is maintained, employees could be given incentives in the form of increased compensation or promotions for uncovering new points of vulnerability in systems connected to these essential brands, and for devising solutions to overcome weak links.

Says USC's Mitroff: "Corporations are finally realizing that they have to train people to think, 'What is contained in our most important brands or our marketing brochures or the system that runs our factories or the management team that makes decisions or even the structural design of our building, such that if it was altered in any way—by any completely unknown possibility—it would decimate our business and reputation?'"

Like the global battle against terrorism itself, reaching this degree of targeted security may take a long time at most companies and will require CIOs to change their mindset from systems to strategy—from installing technology based on a hoped-for return to understanding their companies' most essential priorities and plans, and developing proactive technology to protect and further them. For CIOs this is an opportunity to move closer to the strategic core of the organization, but it will only be successful if they respond to these potentially increased responsibilities with a higher than normal level of creativity and flexibility.

So far, this tends to be happening only at companies where CIOs have played a starring role even before the Trade Center crisis. In the days following the attack, Merrill Lynch & Co.'s fiber-optic communications failed so frequently that the IT department at the brokerage quickly installed a series of lasers to transmit data wirelessly from its lower Manhattan headquarters to backup sites in Jersey City, N.J., across the Hudson River. Merrill's chief technology officer, John McKinley, is among the more influential in the financial services industry, and he's directly involved in setting corporate strategy and linking systems to it. Still, prior to the attack, an installation of this sort would have taken months of development and testing. And layers of management would have had to approve the project. Now, without any other options and because it faced imminent disaster, Merrill has had to loosen its bureaucracy. In the process, the company has taken a chance on a promising new wireless technology that could help it disperse information over handheld devices and laptops more freely—and even give it a leg up on its rivals—long after its communications snafus are over.

To combat risk in the riskiest and most changeable of business environments, many experts recommend that companies build the organization around a central crisis management team that culls the knowledge and experiences of all parts of the organization. That means naming a chief crisis officer who can coordinate the specific operational needs of different departments, organize contingency plans, and arrange backup sites for communications, manufacturing and office-based employees.

"Where risk may have once meant, perhaps naively, just making sure a virus doesn't bring down a computer system, now each company has to re-examine every part of its access to the world, whether through the Internet or physically," says Tony Borek, director of IT architecture at Tecolote Research Inc., a Santa Barbara, Calif.-based company that conducts risk analysis for the federal government. "Risk management was never simple, but now it seems like it was. We just didn't understand how complicated the risks were."

Jeffrey Rothfeder writes frequently about business, security, environmental and technology issues. Comments on this story can be sent to editors@cioinsight.com.

Resources

Resources

Books

Managing Crises Before They Happen: What Every Executive Needs to Know About Crisis Management
by Ian I. Mitroff
Amacom, 2000

Response Ability: The Language, Structure, and Culture of the Agile Enterprise
by Rick Dove
John Wiley & Sons, Inc., 2001

Web Sites

www.parshift.com — Paradigm Shift International hosts this online forum and information resource about adaptable corporate culture.

www.real-options.com — A community site that explores how to use real options as a business strategy.