Views and Discussions

Solar Storms: A Risk Event?

Given the possible impact/effects of a Solar Storm that parts of the world are experiencing, especially in parts of the United States, including my home state of Florida, should these be considered part of your business impact analysis (BIA) as a larger part of your Business Continuity plans and your enterprise risk management framework? (low probability/high impact). Given the impact of these events on power grids and communications, what about the Disaster Risk Management/Reduction framework at the national/Government level?

11 May 2024

Moving Beyond the “ROBOTICS” of Risk Management

As you prepare to face the week ahead (professionally and personally), I would like to take a small point of privilege and respectfully suggest that effective and modern risk management is not, cannot be, just the methodologies, the standards, or the processes. Modern risk management is not a stand-alone process or a “fait accompli.” Much more is needed to reach the end state of effective risk management in this most uncertain, disruptive, risk-prone environment.

06 May 2024

WASA: Re-Engineering and Reorganizing without End-to-End Operational Risk Assessment?

How is that possible?

As you all may know, Operational risk assessments are essential tools for identifying potential hazards, vulnerabilities, and areas of improvement within an organization’s operations. By conducting these assessments, WASA can better understand the possible consequences of changes to their operations and develop strategies to mitigate risks.

22 April 2024

Building Resilience: The Role of ERM in Transforming Caribbean, Central and Latin American Countries

In the last few years, the Caribbean, Central, and Latin America have been characterized by unprecedented negative disruptions and massive global challenges, whereby the resilience of economies has become paramount for sustainable development. This imperative is particularly pronounced for these countries/islands, given their vulnerability to various risks ranging from natural disasters, crime, societal disruptions, and geo-political and economic risks.

17 April 2024

An Example of Why Strategic Plans Must Be Agile…

As companies develop their strategic plans, I submit that agility must be one of the pillars of that plan. Companies must employ horizon scanning, using both a microscope and telescope to ensure they are looking at not only what is happening and immediate (what is close) but also what can happen (i.e., future-proofing) and what is farther away.

The following is a great example, if not a bit “funny.”

31 March 2024

Your Organization has “Wicked Problems”

“Whether it is pandemics, flood management, snowstorms, drought or satellite failures, the ability to recognise the changing environments that create the conditions in which those incidents can occur, and to prepare ourselves in meaningful and sustainable ways, is the underlying bedrock on which all other actions must take place” -Rubens, D (2023)

Strategic Risk and Crisis Management: A handbook for modelling and managing complex risks. (Kogan Page, p.299)

24 March 2024

You Must Measure What Matters!

12 March 2024

Billion-dollar Bank Failure: $65 Million Civil Penalty for Failing to Keep Proper Risk Controls

“The Office of the Comptroller of the Currency announced on Wednesday that the bank is required to take “broad and comprehensive corrective actions” to strengthen its internal practices.

The OCC found that City National “engaged in unsafe or unsound practices” related to the management of operational risk, strategic risk, investment management practices and compliance”…

02 February 2024

Trinidad Cyber Breaches: A Lack of Effective Risk Management

Many (definitely not all) of the leaders of institutions either don’t seem to know the full range of the impact/probabilities of the risks they are exposed to, or if they do know, it appears they are ambivalent or, worse, don’t care. One reason might be that they don’t have any “skin in the game.” There are no consequences to their inactions, no accountability. Some may even believe they are all-knowing when they should endeavor to be all-learning. (no Intellectual humility)

03 November 2023

What Risks Precede a Cyber Attack?

Cyber attacks have resulted in significant consequences for organizations of all sizes and sectors in the Caribbean, and it is essential to be aware of the risks that can precede them or risks that can act as  “risk sources” for a cyber attack. One of those “risks” that has been identified as a possible major source is that of work from home. 

Cybersecurity issues (attacks) are on the rise in the Caribbean and can pose a particularly acute risk to those firms and institutions with many remote workers. 

02 November 2023

Objects in the Mirror Are Closer Than They Appear

“Objects in the mirror are closer than they appear” is the “warning sign” on your vehicle’s door mirrors. Applying this warning to the risk management space, one can identify Examples of risks that are much closer to your organization (and you) than they may appear to be…

I would also like to “tweak” that warning sign and apply it to a risk management reference: Risks in your rearview mirror may be closer than you think...

23 October 2023

Companies Must Embrace Modern Risk Management

It should be noted that many organizations are practicing “some form” of risk management. Still, it does not meet the requirements needed to treat the current environment, especially given the velocity of risks.  This is especially true in small and medium-sized companies/organizations with entrepreneurial cultures, fewer regulatory demands, and more resource constraints. These businesses tend to view risk management as an unnecessary expense, yet they may be more susceptible and exposed to risks.

20 September 2023

Artificial Intelligence and Risk Management: How Prepared Are You?

According to NIST: AI systems are inherently socio-technical in nature, meaning societal dynamics and human behavior influence them. AI risks – and benefits – can emerge from the interplay of technical aspects combined with societal factors related to how a system is used, its interactions with other AI systems, who operates it, and the social context in which it is deployed… If your institution is now using AI or planning to begin using AI, we (CRMA) are available to assist with identifying and managing AI and AI-related risks.

04 July 2023

Human Behaviour: The Greatest Risk to Any Institution

20 June 2023

Global Cyber Breach: The Need to Manage Vendor Risks, People Risks and More…

Several US federal government agencies have been hit in a global cyberattack by Russian cybercriminals that exploits a vulnerability in widely used software, according to a top US cybersecurity agency. Aside from US government agencies, “several hundred” companies and organizations in the US could be affected by the hacking spree, (according to a CNN report). Since late last month, the hackers have been exploiting a flaw in widely used software known as MOVEit that companies and agencies use to transfer data.

18 June 2023

We’re Working and Living in a “Never-Normal” World

We now find ourselves living and working with a pace of change, unpredictability, degree of uncertainty, and interconnectedness of risks and events that have transformed our environment.
And if you throw in the continuous evolution and revolution of AI, that rate of change is going to move even faster.

So, what should you be doing to keep pace with the rate of change? Consider the following…

26 May 2023

Insider Risk Management

While the entirety of risk management is undoubtedly now more complicated, Insider Risk in particular continues to be one of the most difficult to detect and reduce. CISA defines insider threat as the threat that an insider will use their authorized access, intentionally or unintentionally, to do harm to the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. The most recent example and very significant “Insider” breach occurred earlier this week, when a 21-year-old (age as a risk?) air national guard technology support staffer was arrested following a series of reports…

15 April 2023

Now We Know: Why Silicon Valley Bank Imploded or Failed…

“The bank waited too long to address its problems and, ironically, the overdue actions it finally took to strengthen its balance sheet sparked the uninsured depositor run that led to the bank’s failure,” said Barr (Federal Reserve Vice Chair), adding that there was “inadequate” risk management and internal controls.

As organizational psychologist and bestselling author Adam Grant stated: “In theory, confidence and competence go hand in hand. In practice, they often diverge.

27 March 2023

Is Your Institution (Bank or Non-Bank) Sleepwalking into a Crisis?

Risk management is not a panacea or a fait accompli to value protection in any institution. The most recent failures of the Banks in the US and including Credit Suisse are proof of that. Your risk managers, internal audit, and your external auditors may be “blind” to some risks if their focus continues to be singularly on “accounting” e.g. on Capital adequacy and balance sheets. The failures in the US banking system had very little to do with these 2 points. Coincidently, SVB’s external auditors had given them a “clean bill of health” in February this year.

19 March 2023

Please Modernize Your Risk Frameworks

Most of us will agree that our working world today and in the future is significantly more complex, volatile, chaotic, dynamic, and disruptive than at any other time in our working lives. One only needs to survey the global news reports; whether it’s discussing AI and the ChatGPT potential impact, a possible global recession, cyber risk, climate change risk, and the risk of corporate fade in your organization.

07 February 2023

Global Risk Report: Are You Prepared?

The 2023 WEF Global Risk Report, I submit is meant to deliver a clear warning, signaling a global community interconnected and “heating up”. In summary, and as it relates to the Caribbean, we deduce from this report that institutions, if they want to be better prepared for the cascading impact of the above risks, must, in the first instance begin applying new and different thinking to the business of risk and resilience, test their vulnerabilities, calculate business impact, build out a more robust preparedness and resilient institutional framework.

15 January 2023

Doesn’t Anyone do Due Diligence or Deep Dives Anymore?

“These days, it is hard to know what due diligence actually means. Ontario Teachers’ Pension Plan, which put $95mn into FTX, insists that its professionals “conduct robust due diligence on all private investments”. Tiger Global, which tossed in $38mn, pays outside consultants including Bain & Co to do the work. Yet both missed what FTX’s new chief has described as a “complete failure of corporate controls”. Sequoia Capital, which handed FTX founder Sam Bankman-Fried $214mn even though he played video games during his pitch…

27 December 2022

Power Grid Attacks: Are We Concerned Yet?

“Just three days before two electrical substations were shot up, causing tens of thousands of customers to lose power in North Carolina, the federal Department of Homeland Security issued a bulletin warning “lone offenders and small groups” could be plotting attacks and that the nation’s critical infrastructure was among the possible targets”… ABC News (USA)

08 December 2022

The Value Proposition of ERM: Tangibles and Intangibles

The “value” of Enterprise Risk Management continues to be discussed and debated in the hallways/board rooms/schools. As a risk management consultant and lecturer, it is a question I am always asked, so much so that I often refer to myself (my companies) as not only risk practitioners but also risk sales managers. To that end, North Carolina State: Poole College of Management (a leading educator/research institute in the ERM space) researched and prepared a “paper” on the value proposition of ERM, with case studies…

03 December 2022

Get Off Your Ass and Do Something: Risk Management is Real

This may be me venting or projecting, but I have penned this “thesis” for sharing, but I thought I will share it with you first. It is a first draft (pen to paper) and so I am not asking/expecting agreement, but in critiquing, please apply your risk knowledge/risk intelligence. And, yes, I feel very strongly about this, for as I have said, I have lost colleagues when this was not done correctly. When we could not, “imagine” what can go wrong. When we were not prepared, when we failed to ask the right question, or when a flight instructor failed to grasp the significance of a student pilot saying to him: “I don’t need to know how to land the plane”……yeah……

28 November 2022

FTX Bankruptcy: Are You or Your Company Impacted?

FTX Trading filed for Chapter 11 bankruptcy last Friday capping a sudden and startling downfall for one of the world’s largest cryptocurrency exchanges and founder and CEO Sam Bankman-Fried has resigned from the company as its CEO.

Admittedly, I am no “friend” of cryptocurrency exchanges for reasons I will explain under separate cover at another time. Still, some of those reasons are listed below in what I saw as “red flags” or KRI’s around FTX, and others, which hopefully will serve as lessons learned for investors et al going forward.

14 November 2022

Your Risk Management Framework May Be Obsolete

Most of us will agree that our working world today and in the future is significantly more complex, volatile, chaotic dynamic, and disruptive than at any other time in our working lives. However, despite the many escalations in systemic risks, massive negative disruptions, and volatility in the environment, we still seem to rely on the “dated” risk management framework and control methods developed and deployed years ago within your organization. Yes, the above is a pretty gloomy and potentially dangerous statement but all is not lost, for, with all the negative disruption, there can be significant opportunities… 

07 November 2022

Why are there no EXISTING Operational or ERM Risk Professionals Included?

Please check the link below and share your thoughts/answers to my questions below. This is not meant to be controversial nor am I casting any aspersions and with the greatest respect to the speakers, why aren’t any CURRENT and practicing Operational or ERM risk professionals on the list of speakers, as best as I can ascertain from their bios and or functional titles? 

There is a formula that I learned many moons ago: R+H =A. I may simply be demonstrating my bias here with this observation/question and, if so, I sincerely apologize…

25 October 2022

What is your “LOTUS OF CONTROL”?

Can your locus of control affect or influence your business decision-making capability?

Locus of control describes the degree to which individuals perceive that outcomes result from their own behaviors, or from forces that are external to themselves. This produces a continuum with external control at one end and internal control at the other

As the environment around your changes, you can either attribute success and failure to things you have control over, or to forces outside your influence…

02 September 2022

Cyber Risk: The “little spoken of” Risk to the Caribbean and its Institutions.

As noted by industry specialists and practitioners, Latin America and the Caribbean (LAC) has become a new frontier for cyber-attacks and crime at an estimated cost of around US$100 billion per year. (IDB 2017 report). The Cipher Brief, a digital, security-based platform that connects the private sector with the world’s leading security experts, recently noted that twelve percent of DDoS attacks now target the LAC region and that the number is escalating. It is also the case that there has been a dramatic rise in the number of people, including tourists, with access to Internet-connected devices, potentially increasing national vulnerabilities. 

31 August 2022

ESG Risk: It’s Real and Being Deployed, Managed and Regulated: Ask Canada!

ESG is real:ESG is a system used to measure the sustainability of a company or investment in three specific categories: environmental, social, and governance. As the below article describes, Canada, our North American neighbor (and former fellow commonwealth neighbor) has now mandated that banks and insurance companies report on climate risk exposures of their clients. But:” While the rules do not yet apply to other companies, OSFI will also expect the financial institutions to…

10 April 2022

The Paria Diving Disaster: “Pre-Mortems” are much better than “Post-Mortems”

Condolences to the family, friends, and colleagues of those who lost their lives in this catastrophe. The best way for the leaders of these institutions to honor those lives lost is not by talking but by acting. There is a maxim that says: “the uninspected usually deteriorates”. There are risks and hazards (and they are not always the same) that may have gone without being risk assessed, and so they have been metastasized, morphed, and in waiting…

24 March 2022

Note to Leaders: Lessons from Ukraine

In early 2019 the World Economic Forum (WEF) in its annual Global Risk Report warned all of us that escalating divisions amongst our Major Nations meant that we were no longer collaborating on addressing the world’s most pressing threats. For this reason, the WEF warned that we were potentially “sleepwalking towards crisis”. However, a global pandemic (Covid 19) then hit us about 10 months after this warning, and our attention and interest, rightly so, shifted. We are at risk of the breakdown of an entire system rather than simply the failure of individual parts.

15 February 2022