Cutter Consortium: Enterprise Risk Management & Governance

Leveraging the Risks of Others: A Question of Ethics

18 Jun 2009 20:11:40 GMT

Pritchard, Carl | E-Mail Advisors | 18 June 2009 | Enterprise Risk Management & Governance; Business-IT Strategies

Ever worry about stealing someone else's idea? Or worse still, stealing your own ideas while working from one client to the next? The ethical high road is a challenging one to take on an ongoing basis, when so many potential ethical lapses are the result of lapses, rather than intentional commitment of the act. Nowhere is this more true than in risk management. Consider the following scenario:

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090618.html

The Contract Blueprint: Creating Agreements that Will Work in Practice

18 Jun 2009 20:01:45 GMT

Cullen, Sara | Executive Updates | 18 June 2009 | Enterprise Risk Management & Governance

Imagine you and I are building a house without drawings or specifications, instead relying on various tradespeople to use their experience to build what we have in mind. So the concreter lays the slab where he think is best, given his experience; the plumber puts the piping where she thinks it should go. The electrician wires the house as he deems it should be, and so on. They've all done this before, so there is no need for a plan, really. You and I don't know how to build a house anyway, and I'm sure we can both live in whatever they come up with, right?

http://www.cutter.com/content/risk/fulltext/updates/2009/ermu0906.html

Are You at the Controls? Do You Know Where Your Data Is?

10 Jun 2009 19:43:38 GMT

Rosen, Mike | E-Mail Advisors | 10 June 2009 | Enterprise Architecture; Business Intelligence; Enterprise Risk Management & Governance

Perhaps you remember the public service campaign from 1960s television that went something like, "It's 10 pm. Do you know where your children are?" For IT, we could rephrase it as; "It's 2009. Do you know where your data is?" You probably don't, especially if it's in the hands of your partners or outsourcers. So, the answer to the question in the title of this Advisor is most likely, "I don't know."

http://www.cutter.com/content/architecture/fulltext/advisor/2009/ea090610.html

No More Gorilla Dust: Autopsy of GM

4 Jun 2009 16:19:18 GMT

Charette, Robert N. | E-Mail Advisors | 04 June 2009 | Enterprise Risk Management & Governance; Business-IT Strategies; Business Technology Trends & Impacts

So long to the gorilla dust at GM. That's what billionaire entrepreneur founder of EDS and ex-General Motors executive Ross Perot called the annual optimistic projections of GM executives during the 1980s, as it continued to lose market share. "When gorillas fight, they throw dust in the air to distract one another," Perot said.

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090604.html

Reduce Costs the Agile Way: Keep Value in View

28 May 2009 16:06:40 GMT

Highsmith, Jim | E-Mail Advisors | 28 May 2009 | Agile Project Management; Enterprise Risk Management & Governance

The Agile Triangle way of measuring performance can be useful in looking at business goals in new ways (the triangle involves value, quality, and constraints -- as introduced in my Advisor, "Flex Your Agile Triangle and Add Value," 30 April 2009). If the goal is reducing schedules, for example, metrics from agile projects have shown that improving quality has a great impact on schedule reduction. Focusing directly on schedules often has the direct opposite impact on schedules. Admonitions to "go faster" result in cutting quality corners, which in turn ends up lengthening schedules. So ironically, focusing on schedule yields longer schedules while focusing on quality yields shorter schedules.

http://www.cutter.com/content/project/fulltext/advisor/2009/apm090528.html

The Risks of Banking on Risk Certifications

21 May 2009 15:47:51 GMT

Pritchard, Carl | E-Mail Advisors | 21 May 2009 | Enterprise Risk Management & Governance; Agile Project Management

With the ongoing proliferation of certifications available to business professionals of every type, it's no surprise that risk management has popped into the picture in the cost, IT development, and project management communities. The Project Management Institute came first, last year unveiling the PMI-Risk Management Professional (PMI-RMP®) certification as a new addition to its laundry list of professional marks. The Association for the Advancement of Cost Engineering is not far behind, as it is currently in the throes of putting the finishing touches on its version of such a credential.

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090521.html

Information Security and Privacy Training and Awareness for Business Partners: Their Lack of Knowledge Will Be Your Pain

8 May 2009 16:07:45 GMT

Herold, Rebecca | Executive Updates | 08 May 2009 | Enterprise Risk Management & Governance

In Part I of this three-part Executive Update series,1 I covered why smart business leaders need to provide their personnel with regular training about information security and privacy as well as ongoing awareness communications. In Part II,2 I described 14 mistakes that organizations consistently make that undercut training and awareness programs, which are often detrimental to information security and privacy efforts. I have seen the majority of organizations make a 15th mistake, which I will cover in-depth in this third and final Update. That mistake is not providing information security or privacy training and ongoing awareness to outsourced vendors and business partners.

http://www.cutter.com/content/risk/fulltext/updates/2009/ermu0905.html

A Flu Pandemic: To Risk or Not Risk -- That Is the Question

7 May 2009 16:04:14 GMT

Charette, Robert N. | E-Mail Advisors | 07 May 2009 | Enterprise Risk Management & Governance; Business Technology Trends & Impacts

As I write this Advisor, the news about a possible swine flu pandemic is changing almost by the hour. As of today, World Health Organization (WHO) officials and medical specialists in Mexico and the US are cautiously optimistic that the new strain of swine flu -- now officially called influenza A (H1N1) -- may turn out to be a mild form with health effects more typical of an influenza B-type virus.

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090507.html

Some Tips on Leading in a Time of Scarcity

23 Apr 2009 15:41:47 GMT

Pritchard, Carl | E-Mail Advisors | 23 April 2009 | Enterprise Risk Management & Governance; Business-IT Strategies

With the current state of the economy, there has been a seemingly endless stream of articles about scarcity and the natural human reactions to it. Almost to a one, the articles examine the propensity of individuals to focus on what they might not have if the situation doesn't improve, prompting the reaction of thrift. People save. People hoard. People limit their consumption. In some instances, this sense of thrift is blamed as the cause of many of our economic woes. If only people would go back to their spending, everything would be fine, we are told.

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090423.html

Receptivity in Crisis: How Art Helps Diagnose the "Now" to See the "What Now?"

16 Apr 2009 15:06:14 GMT

O'Donnell, Shannon | E-Mail Advisors | 16 April 2009 | Innovation; Enterprise Risk Management & Governance

In a recent discussion among international members of the Centre for Art and Leadership at the Copenhagen Business School, we considered the broad question: "What can art do for business in the current financial crisis?"

http://www.cutter.com/content/innovation/fulltext/advisor/2009/iea090416.html

To Keep Flying, Consider Decision-Focused Dashboards

9 Apr 2009 13:20:47 GMT

Charette, Robert N. | E-Mail Advisors | 09 April 2009 | Enterprise Risk Management & Governance; Business Intelligence

Recently, I had a conversation with Julie Zawisza, director of communications for the Center for Drug Evaluation and Research at the US Food and Drug Administration (FDA). We spoke about the problem of food and drug safety risk communication for a story I wrote for Government Executive magazine on the role of risk management in government ("On the Look Out," Government Executive, March 2009).

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090409.html

What Doesn't Kill You ... And Other Lessons About Support

8 Apr 2009 13:17:36 GMT

Rosen, Mike | E-Mail Advisors | 08 April 2009 | Enterprise Architecture; Enterprise Risk Management & Governance

They say "What doesn't kill you makes you stronger," and perhaps this is true for architects as well. I recently went through an experience that all architects and IT professionals should go through occasionally, but not too often. An insipid virus infected my computer, having evaded the defenses of my firewall/security product and, slowly but surely, rendered my laptop useless. Since I had also fallen prey to application bloat over the years and laptop performance had slowed to the speed of a pig stuck in molasses in January without a paddle, there was really nothing to do but rebuild the OS.

http://www.cutter.com/content/architecture/fulltext/advisor/2009/ea090408.html

Systems Approach Deals with the High-Risk Team Member

26 Mar 2009 14:30:29 GMT

Pritchard, Carl | E-Mail Advisors | 26 March 2009 | Enterprise Risk Management & Governance; Agile Project Management; Business-IT Strategies

What do you do when a team member is actually creating higher risk for the team, and yet you need that person and/or the organization insists you keep him or her? This is actually a far more common quandary than we care to believe. These instances exist because organizations often have policies that allow no "easy out" for employee dismissal and don't really invest themselves at getting to the root of the problem. Instead, they assume that such issues will work themselves out over time (which actually exacerbates the problem).

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090326.html

Avoiding Common Mistakes in Information Security and Privacy Training and Awareness Programs

23 Mar 2009 14:22:14 GMT

Herold, Rebecca | Executive Updates | 23 March 2009 | Enterprise Risk Management & Governance

Here in Part II of this series, I describe the 14 mistakes organizations consistently make that render training and awareness programs ineffective and often even detrimental to information security and privacy efforts.2

http://www.cutter.com/content/risk/fulltext/updates/2009/ermu0903.html

The Vexed Files: Sharing a Web of Insecurity

12 Mar 2009 19:59:41 GMT

Charette, Robert N. | E-Mail Advisors | 12 March 2009 | Enterprise Risk Management & Governance; Business Technology Trends & Impacts

The past week saw several news stories that remind us how fragile IT security has become and how the opportunities created by the tremendous power of the Internet to share information can also create major risks.

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090312.html

Identifying Risks from an ITIL Service Perspective

1 Jan 2009 14:20:15 GMT

Berry, John | Executive Reports | 01 January 2009 | Enterprise Risk Management & Governance

The IT Infrastructure Library (ITIL) and its fundamental concern for quality IT service delivery and management provides a completely fresh way of identifying the full range of risks that organizations face in conceiving, funding, executing, and operating IT services that support business objectives. ITIL strategic and tactical objectives are as clear as the desert sky. Because of this clarity, managers should find it easier to document the potential risks in failing to fulfill ITIL's prescriptions. And identification is the necessary first step to mitigation of those risks. This Executive Report by John Berry demonstrates how businesses can use a simple mini-methodology based on ITIL mandates for the consistent, systematic identification of risks at every stage of the IT service lifecycle within the entire organization.

http://www.cutter.com/content/risk/fulltext/reports/2009/01/index.html

Forecasting Executive (and Team) Behavior

26 Feb 2009 14:08:21 GMT

Pritchard, Carl | E-Mail Advisors | 26 February 2009 | Enterprise Risk Management & Governance; Business-IT Strategies; Agile Project Management

Anyone who has been in the work force more than a matter of weeks has had the experience. You think you know what management wants. You believe you're working in the organization's best interests. You want to show some measure of independence and personal vision. And you act. No sooner do you show just a modicum of initiative, you are crushed like a grape!

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090226.html

In a Down Economy, Proceed Incrementally to Avoid Whipsaw Effect

26 Feb 2009 14:07:13 GMT

Kellen, Vince | E-Mail Advisors | 26 February 2009 | Business Technology Trends & Impacts; Enterprise Risk Management & Governance; Business Intelligence

The 3.8% contraction in gross domestic product (GDP) for the fourth quarter of last year, while better than the 5.5% contraction that economists had been predicting, was still not good news. Why? Inventories increased. If you account for those increased inventories, GDP shrank 5.1%.

http://www.cutter.com/content/trends/fulltext/advisor/2009/btt090226.html

Reinvention: McDonald's Did, and Circuit City Didn't

12 Feb 2009 22:10:55 GMT

Charette, Robert N. | E-Mail Advisors | 12 February 2009 | Enterprise Risk Management & Governance; Business-IT Strategies; Business Technology Trends & Impacts

I am sitting here, sipping my free cup of coffee at McDonald's, looking across the parking lot at the huge going-out-of-business banners strung across the entrance to my local Circuit City store.

"I wonder," I joked with the McDonald's manager, who I know pretty well, "if they had to pay for those banners up front and in cash?"

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090212.html

Institutionalizing Governance in Complex Global Organizations

9 Jan 2009 13:38:25 GMT

Lampshire, Cheryl; Fletcher, Patricia A.K. | Executive Updates | 09 February 2009 | Enterprise Risk Management & Governance

Corporate governance is the means by which accountability to stakeholders is ensured, yet organizations often fail at creating governance plans that align with the organizational context. They also fail at institutionalizing governance that spans levels and processes in the business, particularly in global, multicultural organizations. In this Executive Update, we introduce value-based adaptive models for business governance structure design, operational planning, and implementation for complex global organizations. That is where the board of directors (BOD), CIO, and the IT organization add tremendous value.

http://www.cutter.com/content/risk/fulltext/updates/2009/ermu0902.html

Risk Boredom and Risk Blindness: The Uncommon Common Concerns

29 Jan 2009 19:12:28 GMT

Pritchard, Carl | E-Mail Advisors | 29 January 2009 | Enterprise Risk Management & Governance; Business-IT Strategies

There's a compelling phenomenon that happens with the commonplace aspects of our lives. The boredom that is frequently associated with the average concerns in our day-to-day existence evolves into a willing ignorance that those concerns even exist. In our cars, we sometimes become oblivious to the fact that speeding inherently carries with it a higher level of risk. In our workplaces, we accept the little warning signs (client complaints, team members' missed meetings, excessive e-mail traffic on a single topic, etc.) as being part of the normal operating procedures. In many cases, we remain oblivious to these until they explode into something far more dramatic. The car spins out of control on a wet patch of road. The customer calls us in, threatening to cancel our long-standing agreements. And while we're completely surprised by these crises, we shouldn't be. An outsider looking in would have been surprised that we were surprised. The warning signs were there. How could we be surprised?

http://www.cutter.com/content/risk/fulltext/advisor/2009/erm090129.html

Surviving Compliance: What Would Darwin Do?

22 Jan 2009 18:56:40 GMT

Mason, Cindy | Executive Updates | 22 January 2009 | Enterprise Risk Management & Governance

Reenergizing your company around regulations can give investors confidence and increase credibility. At some point, the foundation of a successful business comes down to trust. So its not just about the regulations, it's about the integrity and honesty of the companies that are doing business. If your organization is making open efforts at increasing trustworthy behaviors, other companies will value those efforts. Technology that supports transparency, accountability, and a code of business ethics supports an atmosphere in which employees are encouraged to act with the spirit of the regulations. As with any problem in life, a good idea can often solve the problem. This Executive Update provides a summary of how IT is being used to comply with the new regulations.

http://www.cutter.com/content/risk/fulltext/updates/2009/ermu0901.html

Organize Adaptively Around 5 Layers Sharing Decision-Making Authority

31 Dec 2008 15:41:57 GMT

Andriole, Stephen J. | E-Mail Advisors | 31 December 2008 | Enterprise Risk Management & Governance

Many companies are decentralized these days, though the number that are reverting to centralization is increasing. The essence of the centralization/decentralization dance spins around the value of shared services. But it's also about discipline and governance. Many companies have had a difficult time standardizing their infrastructures and processes -- so difficult, in fact, that they've resorted to extreme outsourcing.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm081231.html

Debriefing the Winner and Loser After a Bidding Process: Generating Goodwill and Future Success

31 Dec 2008 14:29:31 GMT

Cullen, Sara | Executive Updates | 31 December 2008 | Enterprise Risk Management & Governance

This Executive Update looks at debriefing the bidders after a competitive bidding process has closed. This is often treated as an optional process -- and is usually one to be avoided. However, if done well, with the right intent, it is a valuable exercise for all bidders (unsuccessful and successful) and can also create support for your future bidding opportunities.

http://www.cutter.com/content/risk/fulltext/updates/2008/ermu0812.html

Recently Added

29 Dec 2008 19:27:23 GMT

The Cheaper and Faster Tailspin by Christine Davis and the Cutter Business Technology Council

Risk Can Widen the Window of Opportunity

18 Dec 2008 19:20:48 GMT

Pritchard, Carl | E-Mail Advisors | 18 December 2008 | Enterprise Risk Management & Governance; Business-IT Strategies

The current economic climate seems to be taking its "risk toll." It's not that organizations are now forced into situations where they have to take risks that they would not otherwise take. In fact, the exact opposite phenomenon seems to be occurring. Organizations seem to be crawling into the safest elements of their portfolios and hunkering down for the duration. The World Trade Organization this month withdrew plans to establish a new trade agreement between the EU and Gulf Arab states (Reuters, 15 December 2008). The New Jersey hamlet of Sea Bright dropped a move to a new municipal headquarters (The Hub, 11 December 2008). Retailing leviathan Wal-Mart has given up on its plans for a new store in the Silicon Valley (San Jose Mercury-News, 5 December 2008). While those seem like safe, well-considered risk strategies, the reality is that now is the time for the risk-prone among us to stop taking a pass on risks, and instead jump feet first into the fray.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm081218.html

How Information Security, Privacy Training, and Awareness Benefit Business

9 Dec 2008 15:45:28 GMT

Herold, Rebecca | Executive Updates | 09 December 2008 | Enterprise Risk Management & Governance

Training and awareness initiatives within organizations are like the dust bunnies hiding under your bed that you never want to think about. However, business leaders would be wise to realize that there is not a more effective information security and privacy defense than informed and aware personnel, as Part I of this three-part Executive Update series shows. Humans are the weakest link in the information security and privacy defense program. Building a culture of performing job responsibilities with information security and privacy in mind, every day, will help to dramatically reduce the number of security incidents and privacy breaches and will bring a much greater return on a comparatively small investment (of minimal time and modest dollars) than any expensive technology system can deliver.

http://www.cutter.com/content/risk/fulltext/updates/2008/ermu0811.html

Prediction Markets: An Adjunct to Enterprise Risk Management

9 Oct 2008 15:17:40 GMT

Charette, Robert N. | E-Mail Advisors | 09 October 2008 | Enterprise Risk Management & Governance; Business-IT Strategies; Business Technology Trends & Impacts

There was an interesting story a few weeks ago in the Wall Street Journal about the electronic retailer Best Buy's internal prediction market [1]. Company executives use the prediction market, called TagTrade, to see how successful Best Buy employees think a particular project, idea, or initiative will be.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm081009.html

Quality of Service: You Can't Measure What You Don't Specify!

1 Sep 2008 15:41:13 GMT

Allen, Paul | Executive Reports | 01 September 2008 | Enterprise Risk Management & Governance

At the heart of risk management and governance of service-oriented applications is the need to achieve agreed and measurable quality of service (QoS) levels. Traditionally, analysis and design techniques have tended to focus primarily on functional requirements, relegating quality concerns to the backseat position of nonfunctional requirements, with lip service to QoS levels such as availability and responsiveness. In contrast, service orientation requires that QoS take on a much more central, demanding, and diverse role. As detailed in this Executive Report by Paul Allen, clear definitions and overall guidance are required for addressing these challenges in a way that fits coherently into the bigger picture of roles, service-oriented architecture (SOA) policy, service specifications, and service-level agreements (SLAs).

http://www.cutter.com/risk/fulltext/reports/2008/03/index.html

Bargaining Power in the Outsourcing Lifecycle

1 Sep 2008 14:45:10 GMT

Cullen, Sara | Executive Updates | 01 September 2008 | Enterprise Risk Management & Governance

This Executive Update is designed to help you understand the outsourcing lifecycle in terms of bargaining power as well as the investment you need to make at the right times to manage its ebbs and flows.

http://www.cutter.com/content/risk/fulltext/updates/2008/ermu0809.html

Ethical Approaches to Risk: Ask "When, How, and by Whom?"

25 Sep 2008 14:24:54 GMT

Pritchard, Carl | E-Mail Advisors | 25 September 2008 | Enterprise Risk Management & Governance; Business-IT Strategies

How far can you go before you cross the line between ethical behavior and high-risk behavior? It's a question I've been asking quite a few project managers of late, and I find their responses compelling. The question is a seemingly simple one:

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080925.html

Bailout Means Risk Officers Should Believe Six Impossible Things Before Breakfast

11 Sep 2008 13:47:16 GMT

Charette, Robert N. | E-Mail Advisors | 11 September 2008 | Enterprise Risk Management & Governance; Business-IT Strategies; Business Technology Trends & Impacts

Every chief risk officer (CRO) should have the White Queen's advice from Lewis Carroll's book Through the Looking-Glass, and What Alice Found There emblazoned on a large poster in his or her office as a reminder that impossible things can and do happen.

For another "impossible" thing happened this past weekend that will be affecting the world's financial markets and likely your pocketbook for quite some time: the US government's decision to take over the mortgage companies Freddie Mac and Fannie Mae.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080911.html

Managing Conflict: Part I -- What the Hell Does that Mean?

1 Aug 2008 14:11:34 GMT

Zucker, William A. | Executive Updates | 01 August 2008 | Enterprise Risk Management & Governance

Certain things, such as death and taxes, are inevitable. Conflict is one of them. If you know it is coming, even if unlikely, shouldn't it be part of the risk management plan? We plan for other contingencies; why not conflict?

http://www.cutter.com/risk/fulltext/updates/2008/ermu0808.html

The Power (and Dangers) of the Analogy in Risk Management

28 Aug 2008 17:43:13 GMT

Pritchard, Carl | E-Mail Advisors | 28 August 2008 | Enterprise Risk Management & Governance; Business-IT Strategies

The odds of that? That's like being struck by lightning.

Is it? Is it really?

The English language is rife with metaphors. We do comparisons and analogies on a ritual basis. However, when the topic arises, I'm reminded of a college mate of mine, Jack Shepherd, who used to challenge similes on a regular basis.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080828.html

Learning to Say "No"

14 Aug 2008 22:17:34 GMT

Charette, Robert N. | E-Mail Advisors | 14 August 2008 | Enterprise Risk Management & Governance

Quick, who was Ownit Mortgage Solutions?

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080814.html

Managing Offshore Development: Working Through Cultural and Time Zone Differences

13 Aug 2008 19:28:43 GMT

Berlow, Stacey | Executive Updates | 01 July 2008 | Enterprise Risk Management & Governance

As the US economy continues to be affected by domestic and world events, IT managers are raising the topic of moving some or all IT activities to parts of the world where labor is less expensive. Companies are looking for ways to stretch their budgets. With remote communication modes more easily accessible and stable, and in view of the increased levels of global management experience, the conversation about offshore development teams is one worth having.

http://www.cutter.com/risk/fulltext/updates/2008/ermu0807.html

A Fear of Questions -- a Fear of Answers

31 Jul 2008 19:11:24 GMT

Pritchard, Carl | E-Mail Advisors | 31 July 2008 | Enterprise Risk Management & Governance; Agile Project Management

I've noted an overwhelming trend in the last year or so related to managers' unwillingness to ask questions of their senior management about risk. The trend seems to be rooted in plain old-fashioned fear. When it comes to exploring the depths of what management might be worried about, two prevailing trends are making themselves evident: a fear of questions and a fear of answers.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080731.html

Turning Story Points to Business Models

17 Jul 2008 15:48:07 GMT

Coldewey, Jens | E-Mail Advisors | 17 July 2008 | Agile Project Management; Enterprise Risk Management & Governance

Many agile teams do their estimations in abstract measures, such as story points or complexity points, rather than using effort or time. Though the difference is subtle, abstract measures allow a self-adapting estimation process, decrease wish-based planning, and increase realism. All of these are positive effects that come at virtually no cost, once the team and their management cease confusing planning with motivation.

http://www.cutter.com/content/project/fulltext/advisor/2008/apm080717.html

Guerrilla Management: They Never See It Coming

17 Jul 2008 15:47:18 GMT

Pritchard, Carl | E-Mail Advisors | 17 July 2008 | Enterprise Risk Management & Governance; Agile Project Management

In far too many organizations, bureaucracy is an inherent impediment to success. In a recent class, one student suggested that we might have to seriously consider "Guerrilla Project Management." I pondered the comment, laughed along with the class, and for several days have slowly come to the realization that in making small steps toward big practices, some organizations may be implementing the practice already.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080717.html

Lessons from the Subprime Collapse -- How Long Will They Be Learned?

3 Jul 2008 15:19:40 GMT

Charette, Robert N. | E-Mail Advisors | 03 July 2008 | Enterprise Risk Management & Governance; Business-IT Strategies; Business Technology Trends & Impacts

There was a story not too long ago in the Wall Street Journal on the lessons CEOs are trying to learn from the subprime mess and how these lessons might be applied in their own markets [1]. One of the critical lessons the article highlighted was the importance -- and extreme difficulty -- of being able to deliver bad news to senior executives quickly.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080703.html

The Unfortunate Issue of Social Engineering

1 Jun 2008 15:06:36 GMT

Dooley, Brian J. | Executive Updates | 01 June 2008 | Enterprise Risk Management & Governance

The continuing escalation in the war against computer-based security threats, such as break-ins, malware, and viruses, threatens to obscure what has become the number one security weakness -- the individual. While there is a growing body of resources for combating machine-based attacks, the reality is that successful hacking based on social engineering is much more effective and potentially more devastating. Alas, apart from developing strong policies and an internal awareness of these techniques, little can be done about it. You can develop programs to scan networks and systems, log suspicious activity, and "fingerprint" hazardous code. But you cannot do the same for employees.

http://www.cutter.com/risk/fulltext/updates/2008/ermu0806.html

Seizing Opportunities -- How Individual Success Aids the Enterprise

19 Jun 2008 17:21:57 GMT

Pritchard, Carl | E-Mail Advisors | 19 June 2008 | Enterprise Risk Management & Governance; Business-IT Strategies

In my last Advisor (see "It's Threat 'AND' Opportunity ... Not 'OR'," 22 May 2008), I discussed the concepts that risk as threat is a natural complement to opportunity, rather than the flip side of it. But I made the point that opportunities exist only if we have an accepting attitude toward them. Generating that attitude of acceptance is not something that happens organically. It is something that management must cultivate and clarify if opportunity is to become part of the second nature of the organization.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080619.html

Enterprise Risk Remains Highly Volatile

5 Jun 2008 14:07:49 GMT

Charette, Robert N. | E-Mail Advisors | 05 June 2008 | Enterprise Risk Management & Governance; Business-IT Strategies

There was a report in the Wall Street Journal a few weeks back (see "Analysts Again Are Too Optimistic") about the Standard & Poor's (S&P) 500-stock quarterly earnings index, which missed analysts' expectations for the third quarter in a row. Given that the US economy has been suffering since last summer, an outsider might say, "So what?"

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080605.html

It's Threat "AND" Opportunity ... Not "OR"

22 May 2008 14:27:30 GMT

Pritchard, Carl | E-Mail Advisors | 22 May 2008 | Enterprise Risk Management & Governance; Business-IT Strategies

Discussions surrounding risk management for the last decade have taken on the duality of risk, expressed as threat or opportunity. Corporation after corporation, organization after organization, and manager after manager wrestle with this question: "How should I go about expressing opportunities when someone starts talking to me about risk from a threat context?" The answer may rest in our inherent desire to share information in an either/or context, rather than in a yin/yang perspective. It may be time to start looking at risk and opportunity as complementary rather than opposites.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080522.html

Effective Development Begins and Ends with People

15 May 2008 19:57:49 GMT

Smith, Preston G. | E-Mail Advisors | 15 May 2008 | Agile Project Management; Enterprise Risk Management & Governance

We know that people are our most valuable resource, but we seem to forget this too easily. Recently, I was with an executive team of a high-technology company, and the team was struggling with a string of late-to-market development projects. Finally, the CEO got up and proposed yet another rewiring of the organization chart. I have seen this scenario repeated too many times.

http://www.cutter.com/content/project/fulltext/advisor/2008/apm080515.html

Reputation Management: If You Trust, You Better Verify

8 May 2008 19:45:22 GMT

Charette, Robert N. | E-Mail Advisors | 08 May 2008 | Enterprise Risk Management & Governance

American businessman Warren Buffet once said that, "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."

As Buffet indicates, a company's reputation is one of the toughest corporate values to create and one of the easiest to see slip away. Another company in the news, Illinois, USA-based Baxter International, an $11-billion global healthcare company, is the latest to learn this hard lesson.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080508.html

A Healthcare Services Ombudsman Model

1 May 2008 19:03:02 GMT

Herold, Rebecca | Executive Updates | 01 May 2008 | Enterprise Risk Management & Governance

In the first two Executive Updates in this series (Vol. 5, Nos. 1 and 3), I described in general terms what an ombudsman is and provided a description of what a privacy ombudsman does. In this final Update, I outline a brief overview of the situations that trigger an ombudsman into action, along with a list of the characteristics necessary for an ombudsman role within healthcare services and provider organizations.

http://www.cutter.com/risk/fulltext/updates/2008/ermu0805.html

Architectural Strategies to Tighten Data Security

24 Apr 2008 22:15:46 GMT

Ambler, Scott W. | E-Mail Advisors | 24 April 2008 | Enterprise Risk Management & Governance

It seems as if every time you turn on the television there's an advertisement regarding identity theft or a newscast about how someone lost their laptop containing the personal records of hundreds of thousands of people. With losses running into the hundreds of millions from data theft, not to mention the impact from the reduced trust people have in the ability of many organizations to protect their data, it is clear that data security is a critical issue that must be addressed by your data architecture [1]. Data security issues include authentication, authorization (access control), and encryption/decryption. The good news is that there are architectural solutions to all of these issues, although many of them go beyond the narrow realm of data architecture and are actually IT architecture issues. The bad news is that security is rarely at the top of people's lists; although, mention terms such as "data confidentiality," "sensitivity," and "ownership," and they quickly become interested.

http://www.cutter.com/content/risk/fulltext/advisor/2008/erm080424.html

Lessons Learned: Taking a Page from Risk Management History

1 Apr 2008 15:48:17 GMT

Pritchard, Carl | Executive Reports | 01 April 2008 | Enterprise Risk Management & Governance

This Executive Report by Carl Pritchard uses lessons learned from three classic examples to get at the heart of risk perception and risk management. The examples -- the construction of Saint Paul's Cathedral; the promotion, construction, shipment, and installation of the Statue of Liberty; and the implementation of the US Social Security program from legal authorization through the first benefit payment -- offer powerful, specific, actionable lessons that can be applied in the modern business environment.

http://www.cutter.com/risk/fulltext/reports/2008/04/index.html