Archive for the ‘risk management’ Category
Scott Laningham and I are starting to think about repacking our suitcases and preparing to head back out on the road, this time across the pond to Madrid for the IBM Smarter Commerce Global Summit May 22-24.
In Madrid, we expect to hear quite a bit about IBM’s investment in the analytics space, but that doesn’t mean we have to wait to visit the Prado to relate some interesting details about business analytics.
Specifically, predictive analytics that can help companies across the span of industries to prevent fraud.
Here’s a sound byte you may not have yet heard: Did you know that insurance fraud has reached an estimated $80 billion per year in the U.S. alone??
And in South Africa, the rate of short-term insurance fraud is about 15 percent of all premium costs.
And yet, we’ve also found that organizations that effectively apply predictive analytics are 2.2 times more likely to outperform their peers.
One such client of IBM is Santam, South Africa’s leading short term insurance company, which has saved $2.4 million on fraudulent claims in the first four months of using IBM business analytics software.
This new analytics solution has not only enhanced Santam’s fraud detection capabilities, however — it has also enabled faster payouts for legitimate claims.
In partnering with IBM, Santam’s claims division developed a new operating model for processing claims, depending on varying risk levels. IBM’s predictive analytics software has enabled Santam to automatically assess if there is any fraud risk associated with incoming claims and allows the insurer to distribute claims to the appropriate processing channel for immediate settlement or further investigation, which in turn optimizes Santam’s operational efficiency.
In turn, Santam is able to reduce the number of claims that need to be assessed by mobile operatives visiting the customer or claim site, resulting in further considerable cost savings for the company.
IBM: Investing In Analytics, Predicting Results
In the last five years, IBM has invested more than $14 billion in acquisitions. With investments in SPSS, Clarity, OpenPages, i2 and Algorithmics, and others, IBM is building business analytics solutions providing clients with capabilities for managing fraud, risk and threat. In addition, IBM has assembled almost 9,000 dedicated analytics consultants with industry expertise, and created a network of eight global analytics solution centers.
The Santam project also illustrates IBM’s leadership in analytics in Africa. IBM is also actively laying the foundations for a major presence throughout the African continent, with offices in more than 20 African countries, where the company is assisting businesses and governments in building strategies, expertise, solutions, frameworks and operating procedures to help improve performance.
I’m back from IBM Impact 2012…but my brain is still processing all the information I took in through all the interviews Scott and I conducted for ImpactTV and for all the sessions I attended…and I won’t mention all the cocktails in the evenings where I learned SO much from my industry peers.
I’ll be putting together a recap post of some of the major announcements, and I’ve still yet to transcribe my interview with Walter Isaacson, but first, I wanted to highlight an important new study from IBM on the security front.
For those of you who follow the Turbo blog, you know the issue of security (particularly cybersecurity) is one I take very seriously and that I follow closely, partially because of my longstanding interest in the topic, and partially because I recognize we live in an imperfect world using imperfect technology, created and used by imperfect humans.
But the promise and hope for security, fallible though it may sometimes be, is a worthy aspiration. There are ideas, assets, and often even lives at risk, and the more we move up the stack into an intellectual capital driven global economy, the more there is at stake and the more that will be needed to protect.
So, that’s a long way of saying expect to be hearing even more from me on this important topic.
Chief Security Officers: “We’ve Got Our CEO’s Attention”
To that end, now for the new information security study results. The new IBM study reveals a clear evolution in information security organizations and their leaders, with 25 percent of security chiefs surveyed shifting from a tech focus to one of a more strategic business leadership role.
In this first study of senior security executives, the IBM Center For Applied Insights interviewed more than 130 security leaders globally and discovered three types of leaders based on breach preparedness and overall security maturity.
Representing about a quarter of those interviewed, the “Influencer” senior security executives typically influenced business strategies of their firms and were more confident and prepared than their peers—the “Protectors” and “Responders.”
Overall, all security leaders today are under intense pressure, charged with protecting some of their firm’s most valuable assets – money, customer data, intellectual property and brand.
Nearly two-thirds of Chief Information Security Executives (CISOs) surveyed say their senior executives are paying more attention to security today than they were two years ago, with a series of high-profile hacking and data breaches convincing them of the key role that security has to play in the modern enterprise.
Emerging Security Issues: Mobile And A More Holistic Approach
More than half of respondents cited mobile security as a primary technology concern over the next two years. Nearly two-thirds of respondents expect information security spend to increase over the next two years and of those, 87 percent expect double-digit increases.
Rather than just reactively responding to security incidents, the CISO’s role is shifting more towards intelligent and holistic risk management– from fire-fighting to anticipating and mitigating fires before they start. Several characteristics emerged as notable features among the mature security practices of “Influencers” in a variety of organizations:
- Security seen as a business (versus technology) imperative: One of the chief attributes of a leading organization is having the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. In fact, 60 percent of the advanced organizations named security as a regular boardroom topic, compared to only 22 percent of the least advanced organizations. These leaders understand the need for more pervasive risk awareness – and are far more focused on enterprise-wide education, collaboration and communications. Forward-thinking security organizations are more likely to establish a security steering committee to encourage systemic approaches to security issues that span legal, business operations, finance, and human resources. Sixty-eight percent of advanced organizations had a risk committee, versus only 26percent in the least advanced group.
- Use of data-driven decision making and measurement: Leading organizations are twice as likely to use metrics to monitor progress, the assessment showed (59 percent v. 26 percent). Tracking user awareness, employee education, the ability to deal with future threats, and the integration of new technologies can help create a risk-aware culture. And automated monitoring of standardized metrics allows CISOs to dedicate more time to focusing on broader, more systemic risks.
- Shared budgetary responsibility with the C-suite: The assessment showed that within most organizations, CIOs typically have control over the information security budget. However, among highly ranked organizations, investment authority lies with business leaders more often. In the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets. Lower ranking organizations often lacked a dedicated budget line item altogether, indicating a more tactical, fragmented approach to security. Seventy-one percent of advanced organizations had a dedicated security budget line item compared to 27 percent of the least mature group.
Recommendations to Evolve the Security Role in an Enterprise
To create a more confident and capable security organization, IBM recognizes that security leaders must construct an action plan based on their current capabilities and most pressing needs. The report offers prescriptive advice from its findings on how organizations can move forward based on their current maturity level.
For example, those “Responders” in the earliest stage of security maturity can move beyond their tactical focus by establishing a dedicated security leadership role (like a CISO); assembling a security and risk committee measuring progress; and automating routine security processes to devote more time and resources to security innovation.
About the Assessment
The IBM Center for Applied Insights study, “Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer Assessment,” included organizations spanning a broad range of industries and seven countries.
During the first quarter of 2012, the Center conducted double-blind interviews with 138 senior business and IT executives responsible for information security in their enterprises. Nearly 20 percent of the respondents lead information security in enterprises with more than 10,000 employees; 55 percent are in enterprises with 1,000 to 9,999 employees.
Click here to access the full study.
Things just haven’t been looking up for Tiger Woods. I watched Phil Mickelson pound him last Sunday in the last round of the AT&T Pebble Beach Pro-Am, and then Thursday, he loses to Nick Watney in the second round of the Accenture Match Play tournament, 1 down on the 18th where his putter failed him once again with a 5 1/2 foot birdie putt.
I’m still excited about catching more of the Accenture this weekend before I head off on a two-week travel swing (First stop, Toronto, in the Great White North…although I hear it’s not going to be so white!)
In the middle of this trip, you’ll find me in Viva Las Vegas for the IBM Pulse2012 event, being held at the MGM Grand March 4-7.
Let me just say, if you’ve followed the systems management space for any length of time, this is most definitely not your father’s Tivoli. Through acquisitions of the likes of Tririga and Maximo, the IBM Tivoli line has become an instrumental component in the IBM Smarter Planet initiative, with technology that now manages not only your computer systems, but also everything from physical assets to building space.
This year, Pulse will focus on several key areas, including cloud, mobility, smarter physical infrastructure, and security. We’re expecting some 8,000+ atttendees, including your peers focused on fundamentally and cost-effectively changing the economics of IT and speeding the delivery of innovative products and services.
We’ll also have some very special guests in attendance, including Maroon5 to entertain our tired and weary service management masses, along with Steve “Woz” Wozniak, co-founder of Apple.
Yours truly, along with my partner-in-crime, Scott Laningham, are going to be in attendance, blogging and broadcasting live (and on demand) from the Pulse showcase floor.
More details as they emerge…which they surely will.
In the meantime, enjoy your Sunday and the Academy Awards broadcast, and don’t forget to follow the Twitter sentiment being tracked by IBM and the Annenberg School via the “Senti-meter.”
If you’ve been curious as to what IBM has been up to on the security front, today’s a good day to check in.
Earlier today, the Dow Jones AllThingsD blog had this post about some new capabilities IBM is announcing on the security front.
Today, IBM unveiled several new services planned for its security intelligence platform designed to combine deep analytics with real-time data feeds from hundreds of different sources to give organizations, for the first time, the ability to help proactively protect themselves from increasingly sophisticated and complex security threats and attacks using a single platform.
Organizations today are struggling to defend themselves against an onslaught of ever-evolving data breaches, such as theft of customer and employee information, credit card data and corporate intellectual property.
To date, many corporations have been unable to create a security defense system because they have cobbled together technologies that don’t integrate in an intelligent and automated fashion. This patchwork approach has created loopholes that hackers can exploit.
The QRadar Security Intelligence Platform, designed by Q1 Labs and acquired by IBM last fall, tackles this problem head-on by serving as a control center that integrates real-time security intelligence data to include more than 400 different sources.
Major breakthroughs planned in the security platform include:
- Threat Intelligence – Intelligence from one of the world’s largest repository of threat and vulnerability insights is planned to be available based on the real-time monitoring of 13 billion security events per day from the IBM X-Force Threat Intelligence Feed. This insight can flag behavior that may be associated with Advanced Persistent Threats, which may emanate from teams of attackers accessing networks through stealth means.
- Visibility into Enterprise Activity – The platform will unite events from IBM and non-IBM products that span four areas of organizational risk – infrastructure, people, applications and data.
- Pinpoint Analysis in an Age of Big Data – The platform can drill down to basic data elements to help analyze issues emanating from network access information at the periphery to database activity at the core of a business.
New Integrations Bring Real-Time Security Analytics
With new integrations to be made available, the analytics platform can quickly identify abnormal activity by combining the contextual awareness of the latest threats and methods being used by hackers with real-time analysis of the traffic on the corporate IT infrastructure.
For example, the future integrations permit the platform to detect when multiple failed logins to a database server are followed by a successful login and access to credit card tables, followed by an upload to an unknown site.
“We chose the QRadar platform to build on and deliver our vision of a streamlined, highly intelligent platform to serve as our central nervous system for enterprise-wide monitoring,” said Ken Major, Information Security Officer at AmeriCU Credit Union. “It enables us to achieve our goals, industry best practices and regulatory compliance.”
One of the significant planned integrations for the QRadar platform is IBM’s X-Force Intelligence Threat Feed based on the real-time monitoring of 13 billion security events per day, on average, for nearly 4,000 clients in more than 130 countries.
The QRadar platform will have visibility into the latest security trends worldwide to help protect enterprises against emerging risks. QRadar will present current IBM X-Force threat feeds in dashboard views for users, and correlate an organization’s security and network events with these threats and vulnerabilities in real-time using automated rules.
Other planned integrations to allow the QRadar Security Intelligence Platform to help clients more rapidly identify threats by connecting events from the following categories:
- People: Organizations should control access to key systems and information. An employee’s unauthorized access to key databases and client information can leave a firm vulnerable to security breaches. With security intelligence, security teams can quickly determine whether access patterns exhibited by a given user are consistent with the user’s role and permissions within the organization. IBM Security Identity Manager and IBM Security Access Manager will integrate with the QRadar platform, complementing QRadar’s existing support for enterprise directories such as Microsoft Active Directory.
- Data: Data is at the core of security; it is what’s behind every security measure in place, and is the primary target of cyber-criminals. With IBM Guardium Database Security integrated with the security intelligence platform, users will be able to better correlate unauthorized or suspicious activity at the database layer – such as a database administrator accessing credit card tables during off-hours – with anomalous activity detected at the network layer, such as credit card records being sent to unfamiliar servers on the Internet.
- Applications: Applications are vital to day-to-day function but can also introduce new and serious vulnerabilities into company networks. Applications, because of their sensitivity, should be updated frequently. Organizations however are often unable to patch immediately due to corporate testing requirements and change control cycles. With security intelligence, companies will be able to automatically alert security teams to unpatched Web applications that risk being attacked by known application-layer exploits that have previously been identified by IBM Security AppScan. This planned integration complements existing QRadar support for monitoring enterprise applications such as IBM WebSphere and SAP ERP.
- Infrastructure: Today, organizations struggle to secure thousands of physical devices, such as PCs and mobile phones, especially as Bring Your Own Device (BYOD) continues to grow in popularity. For this reason, companies should take extra precautions to help employees to follow secure practices in using these devices. With IBM Endpoint Manager integration, the security platform can provide organizations with enhanced protection of physical and virtual endpoints: servers, desktops, roaming laptops, smartphones and tablets, plus specialized equipment such as point-of-sale devices, ATMs and self-service kiosks.
QRadar integration modules are also planned for Symantec DLP, Websense Triton, Stonesoft Stonegate and other third-party products, increasing QRadar’s ecosystem and continuing Q1 Labs’ long-standing approach to multi-vendor heterogeneous environments.
Solutions to Analyze Big Data
In addition, the QRadar platform has been expanded with Big Data capabilities for storing and querying massive amounts of security information, and functionality for helping to secure virtualized infrastructures and providing a new level of visibility that helps clients reduce security risk and automate their compliance processes.
The expansion of security and network data sources is complemented by advanced functionality to help organizations keep pace with their exponential data growth. The new deliverables include:
- Instant Search to provide high-speed, free-text querying of both log and flow data, designed to bring the simplicity and speed of Internet search engines to the security intelligence solution.
- The XX24 appliance series to extend the scalability and performance advantages for which QRadar solutions are well known. With the release of the QRadar 3124 SIEM appliances, QRadar 1624 Event Processor and QRadar 1724 Flow Processor – which all include 16TB of usable storage and 64GB of RAM – organizations can support more users, achieve higher performance and store data longer.
- Intelligent data policy management to enable users to designate which information they want to store and for how long. Less important data can be removed sooner to achieve longer retention for more important data.
- Virtual appliances to allow end customers and service providers to capitalize on the virtual infrastructures they have built, while benefiting from lower-priced yet fully capable security intelligence solutions.
The planned integration modules (device support modules) are expected to be included with QRadar SIEM and QRadar Log Manager at no additional cost, via automatic updates.
The Big Data and virtual infrastructure enhancements are available now. QRadar integration modules for IBM Guardium Database Security are planned to be available in 1Q2012.
Integration modules for IBM X-Force Threat Intelligence, IBM Security Identity Manager, IBM Security Access Manager, IBM Security AppScan and IBM Endpoint Manager are planned to be available in 2Q2012.
Visit Q1Labs’ site for more information.
At Information On Demand 2011, day 3, BBC presenter showed up onstage ready to play ball with Moneyball author Michael Lewis and Oakland A’s general manager Billy Beane.
Fitting, considering we’re currently in the midst of this year’s World Series between the Texas Rangers and St. Louis Cardinals (Game 6 is tonight in St. Louis!)
Kay first asked Lewis why a book on baseball statistics, and Lewis explained that people are sometimes misvalued by markets, and that what Beane was doing with his team in Oakland in 2001 was a science experiment where “the lab rats [the players] didn’t really know they were lab rats.
Lewis went on to tell a hilarious story about first seeing the A’s players walking naked out of the showers, and how what he saw did not seem to be a gathering of muscle-ridden athletes. They were fat, misshaped, and otherwise seemingly disfigured.
When Lewis approached Beane to ask him about this, Beane explained “that’s kind of the point. We’re in the market for defective people. We’re in the market for players whose value the market does not grasp. We’re a magnet for these unattractive bodies!”
Lewis says that’s the moment it hit him: Beane’s assembled the misfit toys of baseball, the people who have been discriminated against because of their appearance and who are greatly undervalued when compared to their actual player statistics.
Lewis went on to explain, “I realized there was this discrimination going on in the market for baseball players. The way they had done it, with statistics, getting below it…the statistics though were besides the point. You had to think of it as a business. These baseball players, who do what they do, for the past 100 years, and there were all these people who considered themselves experts based on intuition instead of actual performance.”
So there they were, October 2001, the A’s v. The Yankees, and Billy Beane had some of the best players out there: Jason Giambi, Johnny Damon…but he knew he wasn’t going to be able to hold on to them, so he was going to have to throw the intuition playbook out the window.
Beane: “I remember thinking I will never have a collection of talent like this. What the heck are we gonna do? We knew they were gonna go (Giambi, Damon, etc.). We knew the whole year that was gonna happen, but we were trying to find some solution and replace in the aggregate what they did. So, we scoured guys who had A skill, not five skills. And because we had no money…we had one of the lowest payrolls…we couldn’t afford to invest in the romance of a player, but really what they could do and with no biases for or against them, just their performance.”
“Quite frankly,” he went on to explain, “if we were ever going to trust the mathematics, this was the time. We had nothing to lose!”
Cay then posed the all important question: How did you come to this way of looking at the data?
Beane responded that “we never claimed to have invented anything. Numbers are historically scary to everybody, and math doesn’t come easy and doesn’t come from sports. Sports are more about the gut. But we had to be a disciplined card counter.”
Lewis elaborated: “The fact that they weren’t actually generating themselves a whole lot of new baseball knowledge, but that a lot of it was on the web, available to any team, and they recognized it as knowledge. And the use of analytics was so critical, as it took them to another decision point in the game of baseball.”
“This is why the market was so hostile,” Lewis went on. “That there was a new and valuable way of analyzing baseball players, because it implicitly undermined their intuition and knowledge of the game. All these years you did this job, spouting out an intuitive response. So it was finding a better way to measure baseball. Baseball stats are so clean, and it’s easy to assign them in the field of play. The second thing was, sports are somewhat anti-intellectual, and baseball was really anti-intellectual. Most of the kids who go on to play the game don’t go to college, and the game itself is not intellectually challenging.”
“You can’t be too stupid to play baseball,” Lewis explained, eliciting great laughter from the audience, and what had to be the most highly-Tweeted quote from the conversation.
Then, to the heart of the matter in terms of bridging baseball analysis to business purpose: How did you get to the right numbers? asked Katty Cay.
Beane: “If you’re following metrics that have no correlation to business success, or in our case, winning games, you’re in trouble. The older the business, the more challenges and the more traditional and conventional thought.
“Baseball started in the mid 1800s. For us, it was simply put, out of necessity, if we had a dollar, where were we going to get the most efficiency from it. Bill James really started this whole thing, but he didn’t have a venue by which to test this out.
“But I was in the game, and I had the forum and the platform, and really no other choice. So, they had to be the stats that correlated the most to winning.”
Beane went on to detail his recipe: “We were able to pile all our chips to guys who got on base, and on base percentage had the strongest correlation to winning games. For us, this was the statistic that had the most impact on winning.”
Cay: In the moments, you have moments of tension with the staff re: intuition. Did you waver at all when you looked at the numbers?
Beane: “There was this perspective that it was risky, but it wasn’t, and the beauty of baseball over time is that there’s so many games you weed out the randomness and ultimately we thought we’d come out where we thought we could. We thought there was more risk in NOT doing it, in going with our guts.”
“To go with our gut would have been the most irrational thing to do.”
Cay: Michael, how do you think Billy was able to get away with this?
Lewis: “He had to be able to intimidate his staff. It was just him and an assistant who were privy to what the goals were. Re: the players, he said, we don’t tell them, it’ll just confuse them.”
“But he did get some resistance, yet it went away, because he was basically bigger than everyone else in the organization. He could beat up everybody there. There’s this law of the jungle quality to the clubhouse. The players also knew he was a better athlete than they were. It came clear to me right away where reason was being imposed by violence.”
Cay: He looked like such a nice guy.
Lewis: “He’s mellowed. He would chew tobacco, and his eyes would get red, and I would think, ‘Don’t get in his way!'”
Cay: Let’s translate that to the business environment. You have to have the confidence to go with what your’e analyzing with the data.
Lewis: “It’s sort of like, did it work or did it not worth? The confidence comes from having the information and feeling like you’re right.”
Billy: “As Michael said, the tough thing is how you give out the information, and you have to be careful. One of our directors in the back office, he said, ‘I don’t know what you guys are doing back there, but whatever it is, it works.'”
“If you were disciplined with it, you were going to be right to the end.”
Lewis: “There’s a huge amount of randomness, and you can have made a huge amount of decisions, but you can’t change the process of how you made that decision. People make decisions based on outcomes in sports all the time.”
“If you’re the casino, and you stack the odds in your favor, and you play a really disciplined game, it’s going to be an optimum strategy.”
Cay: You described it as a flipping a coin….if you flip it a million times, it will come out well.
Beane: “The great thing is that the eight teams that get there, those are usually the best teams. But then you get into a round robin series, and the best team doesn’t always win. The Phillies were one of the best teams this year, but micro events did them in.”
“So a lot of decisions are made on those random events that happen in a short series.”
Lewis: “For me, this was not just a sports story, it was a market story. It wasn’t the actual number crunching that interested me, but rather what it exposed about the world around me.”
“You could quantify a player’s value very precisely, but you could value what he’d done in the past. How can a market be so misvalued for such an obvious thing as a baseball player. What’s going on in markets is people are operating using intuition vs. statistics, and that influences their judgement!”
“People generalize from small sample sizes. People overvalue things that are flashy and easy to see, like foot speed or arm strength. And they underestimate things like plate discipline or ability to get on base. The big thing is understanding those biases and you, the business manager, are making at least partially intuitive judgments.”
Cay: Why did you let him write a book about this?
Beane: “This is a long answer. There was a momentum that was already starting to happen, and other teams were out there. Brian Cashman in NY, others, were already on their way. So the book maybe accelerated it a bit. But the information was on the Web so fans could do the same work. And technology, there was just no way to ignore the fact that technology was creating data that they could go out and analyze themselves.”
Cay: Arbitrage only lasts for a small period?
Beane: “Yeah, other people catch on, even with Wall Street. The other thing was, when my assistant came in, who was a Harvard graduate, there was now an avenue for people to come into the game who were highly intelligent. Smart people had an opportunity, and it became a meritocracy in the front office.”
“Today, the people who are running sports teams…well, I like to say, in 10 years, I won’t be employable.”
“And what really captured us about Michael, he said right away, ‘you guys are arbitraging the misevaluation of baseball players.'”
“We sort of viewed him as a resource to us as well. And he was validating everything we did. He became one of the guys.”
Lewis: “I just had a single question: How is this happening? And it was more than five minutes than I caught on, but it was the Wall Street story in the easy 1980s when a previously, not intellectual business, got complicated and people saw arbitrage opportunities in the market.”
“And in the course of the reporting, it became clear that other teams, especially the Boston Red Sox, had started learning what was going on. The Boston folks tried to talk me out writing the book, and they wanted me to try and talk Billy into coming to work for them!”
“You could already see that the market was going to move, and the opportunities I identified in the book were going to go away. So it would have been socially awkward to have thrown me out by this time.”
“So the book was all about them, and all about him [Billy], and he gets a galley, and he’s at spring training in 2003. And he calls me, and he’s upset after reading it. What’s disturbing you?”
“You had me saying ‘F—k’ all the time. And I said, ‘But you do.’ And he says, ‘My mother is going to be furious!'”
“As a coda to the story, when I’m on the book tour, and I’m doing a reading in San Diego, and there’s a lady at the back, with her arms folded like this, and I thought, ‘Oh no…that’s Billy’s mother.'”
“She comes up afterwards and says, ‘My son doesn’t talk like that.’ And I covered for him.” Lewis explained he went on to have the most awkward dinner with Beane’s mother for the next two hours.
Cay: So weren’t you concerned he wrote this blueprint for arbitrage?
Beane: “No. Because I said to Michael, “You don’t think anybody in baseball is going to read your book, do you?”
Huge laughter from the audience.
Cay: But they did. And the game changed…baseball changed…so how are they using analytics today in a way they weren’t 10 years ago?
Beane: “None of them are stupid enough to let Michael in so we don’t know!”
But seriously, Beane explained, “The Yankees now have 21 statisticians!”
Lewis: “Think about why that’s changed. 20 years ago, signed a player who didn’t perform, that was a $20K mistake. Now, that’s a $20M mistake. So all the front offices have evolved and they’ve ballooned their analysis staff.”
“After the book came out, what’s amazing was how it changed. Baseball owners were getting calls from Wall Streeters, telling them they were wasting money. But the industry left to its own devices would have not changed.”
“The lesson? If you got a business with an entrenched culture, you don’t know how entrenched it is. There are so many disincentives to not changing what they know to what they don’t know. There’s a personal resistance to that.”
Cay: So are we seeing a generational shift in the game?
Lewis: “Sure, all these 50 year olds have been lopped off, and all these 20 and 30 somethings are now running the game. There’s a book entitled The Structure of Scientific Revolutions, which explains how middle aged physicists are hesitant to embrace ideas from the younger generation coming after them.”
Lewis concluded: “Progress is a funeral at a time.”
Once again, IBM has published a global business risk and resilience study, this year in partnership with Economist Intelligence Unit on behalf of IBM.
The study was conducted in June of this year, and included responses from 391 senior executives…Thirty-five percent of the respondents were C-level executives…About 39% were from North America,38% from Western Europe, 20% from Asia Pacific, and 3% from Eastern Europe.
Companies with less than U.S. $500M in revenue comprised 39% of the responses, and 48% of the respondents hailed from companies with more than U.S. $1 billion in revenue…The survey also covered a gamut of industries, including financial services (16%), IT and technology (16%), professional services (13%), manufacturing (8%) and healthcare (7%).
Before I dive into the results, here’s the setup: Global organizations are increasingly emphasizing business resilience; that is, the ability to rapidly adapt to a continuously changing business environment. Resilient corproations are able to maintain continuous operations and protect their market share in the face of natural or man-made disasters as well as radical changes in the financial or economic climate. They are also equipped to seize opportunities created by unexpected events.
So, the question is, are they?
It’s a mixed bag.
The research suggests that more and more businesses will adopt a more holistic approach to risk management in the next three years ass they deal with growing uncertainty and the increasing interconnectedness of the varied risks they face.
That’s the good news, aspirational though it may be.
But in terms of today’s reality, the study indicated that only a minority of companies (37%) has implemented an organization-wide business resilience strategy…with 42% saying they’ll do so in the next three years.
Almost two-thirds (64%) say they have a business continuity plan of some sort, and a robust 58% have dedicated contingency plans for dealing with a variety of risks.
That’s the topline…now on to the deeper dive:
- Larger organizations are more likely than smaller ones to have an integrated strategy. They, of course, typically have more to lose, and complexity increase’s an organization’s exposure to risk. Larger firms are more likely to have assigned overall responsibility for enterprise risk management to a single executive (which means, of course, direct accountability). Still, there is a contingent of small companies that have adopted integrated strategies. These companies also rank highly with regard to indicators of success such as revenue growth, profitability, and market share.
- Continuity, IT and compliance risks remain in the foyrefront, but companies are diversifying their strategies to build business resilience. Nearly 40% of respondents say their organization regards business continuity as primarily an IT issue. However, when they’re asked to name their “primary risk management concern,” some name more than one, including disaster recovery (47%), IT security (37%), and regulatory compliance (28%). Though most have started by addressing the largest threats first, they increasingly are expected to turn to such things as communications and training programs designged to build a more resilient culture overall.
- Business resilience planning increasingly involves specialists from across the organization, yet CIOs and IT pros remain the most prominent stakeholders. Hey, what happened to sharing the love…and the risk?? Because a culture that imbues responsibility for risk management at every level enables companies to respond to changes and unexpected events. A solid majority of respondents (60%) say that business resilience is considered a joint responsibility of all C-level execs. Yet as IT penetrates more deeply into every aspect of company operations, CIOs and IT pros remain key players in building more resilient organizations. Fifty-six percent of respondents say the CIO collaborates with top IT strategists much more frequently than three years ago.
How Can I Better Manage Risk Moving Forward?
In most organizations, improving business resilience requires a shift in corporate culture because that is what shapes values and behavior. If a company’s culture blends risk awareness with other corporate values, then people instinctively know the right thing to do when confronted with an unexpected situation, and that reduces risk.
Understanding these principles is a good first step, but in interviews, executives are clear that buy-in from the top is essential to foster broad organizational change. Promoting holistic risk management concepts to peers and employees is also critical.
Taking an incremental approach with broad participation in strategy development can help, because it is easier to promote change if a new initiative is not seen as being pushed by one particular faction.
Senior-level commitment and adequate resources are also needed to develop comprehensive communications and training programs to support integrated risk management. One of the distinguishing features of the most resilient companies is that they are much more likely than other firms to have developed a communications strategy to push the message of resilience out to every corner of the organization.
Companies that embrace these measures are more likely to create an effective business resilience plan. This will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management.
Go here to download the full report.