[News] Nuclear plant with a virus

In a headline that would make Jack Bower proud a German nuclear power plant identified viruses on their office computers.

Fortunately the control systems for the plant were air gapped from the office computers with no means of direct connection to the internet.  However the viruses were found on USB sticks used to move rod modelling data around the plant.

It isn’t believed that any of the viruses are targeted at the plant in a destructive capacity but rather general malicious programs to steal data.

While there is no suggestion that the USB devices would ever have cross the air gap and infect the control systems, it has highlighted that an air gap is not a panacea for removing IT risk.

From a GRC standpoint cyber risk is getting more targeted and most experts are predicting a move from disruptive attacks to destructive attacks. Although the idea of a nuclear meltdown might be something for TV and movies. Shutting down Germany’s highest output power station for a few days would certainly have economic repercussions. Criminal enterprise and nation state cyber attacks are becoming more sophisticated and targeted, if you are big enough or important enough you will be on the radar for these types.

You can read more about this story on the BBC http://www.bbc.co.uk/news/technology-36158606


[Broken Things] Train Doors

Serial entrepreneur and blogger Seth Goden has a 10 year old video on TED which still makes me smile called ‘This is broken’. The idea is to highlight the broken things that we put up with and to think about why they are broken. It helps to question why things are the way the are.

Here’s this week’s tribute to “it’s broken”.

Train Doors

Continue reading [Broken Things] Train Doors

[News] Britain’s Biscuit Breakdown

Before you put the kettle on for a brew, brace yourself, there is a biscuit shortage.

The United Biscuits factory, based in Carlisle, was forced to halt production after being hit by floods in December. They are currently yet to resume production of popular dunking biscuits such as the bourbon (pictured) and custard cream.

Continue reading [News] Britain’s Biscuit Breakdown

Incentives and risk

We are all the same. I don’t care if you are a saint or sinner. Incentives will gnaw away at our morals and ethics.

The kids and the marshmallow test makes us all smile. The deferred gratification often collapses under the pressure of delicious marshmallow. Even those who succeed can be seen to have had their willpower tested.

We are just an advanced breed of monkeys on a minor planet of a very average star.
Stephen Hawking

Few have sympathy for the banks in the recent spate of miss-selling incidents. While I’m not sympathetic to the organisation, the individuals were placed in a position where breaking rules carried low risk and high reward.

Our brains are wonderful things we will rationalise acting unethically as ‘bending the rules’, ‘everyone does it’ and other excuses. From the outside others would be judgemental, from the inside it will be rationalised.

the money was resting in my account
Father Ted Crilly

How do we incentivise without bad behaviour

Good Governance. Identify the aspects of an incentive scheme that increase the risk of behavioural conduct issues. Review frequently.

Clarity. Being crystal clear on what is and isn’t acceptable. Avoid meaningless sentiment (“act with integrity”) and use concrete statements (“product is unsuitable for X”). This makes it more difficult to rationalise bending rules.

Emphasis on quality. Ensure that schemes incentivise the quality and compliance of a sale not just the volume.

Claw back. The ability to take back incentives if issues are identified. This is also a great metric to track as claw backs are an indication of conduct risk becoming more widespread.

Capped or decreasing incentives. This prevents sales ‘milking the cow dry’ as each additional sale has diminishing returns. Inappropriate behaviour tends to happen at the higher end of maximise incentives.

Deferral of incentive payments. Deferring payment allows for more time for issues to become apparent before rewarding.

Monitor. Good monitoring of patters for individuals receiving incentives, particularly those paid the most and those who are most at risk.

Conflicts of interest. Identify your incentivised people and those operating key controls. Ensure there is no conflict here. Sales managers are often operating the controls that are managing the very risks they are incentives upon.

Additional controls. When inappropriate behaviour is identified, add extra controls. This requires effort as much of the behaviour happens in conversation.  Monitor calls, use mystery shoppers, seek customer feedback.

Learn. When inappropriate behavior is identified. Learn from it. Don’t seek to be overly judgemental. If someone did it, the system allowed them to do it.

Teach a man to fish and he will fish till satisfied. Incentivise him and he will fish till there are no fish left for tomorrow.
Alex Hollis

Are you a Special Snowflake

Working as a vendor I have knowledge of your competitors. I speak to many different companies working in the same or similar market. I see many different methods of solving the same problems. Some are better than other and as such I can help make recommendations.

This is the number 1 question I am guaranteed to be asked. “How does everyone else do it?”

When bringing that experience to clients there is a resistance. It could be pride, it could be fear of change. In either case, those who resist try to rationalise that feeling. The most common is “that wont work, we’re different to everyone else”.

You are not special. You’re not a beautiful and unique snowflake.
Chuck Palahniuk, Fight Club

I call this “Special Snowflake Status”. Continue reading Are you a Special Snowflake

Stay Simple

Simple is beautiful, stay simple.

This week I was asked the question by a new client about the common pitfalls when implementing GRC technology. There are a lot of specific examples but many of them have a common theme.

Every time you ask the system to do something, you trade the simplicity of the system in exchange for the request function. That sounds obvious but it is a trade that often goes undetected.

Lets jump into an example…

Continue reading Stay Simple

5 things to remember with Key Risk Indicators

If you can’t measure it you can’t manage it. Whether you agree or not measuring stuff is important in Operational Risk Management. Key Risk Indicators or KRIs, help to predict and measure risk. Here’s five things to keep in mind with KRIs:

  1. Measure by Numbers – asking people in the business if everything is OK, will get you one answer ‘yes’. Ask the business how many or how much and you will get a number. Next week you get another one an that is when you can start comparing week by week.
    Continue reading 5 things to remember with Key Risk Indicators

Building a Risk Register

How to build your risk register

As a GRC consultant I’m asked quite frequently ‘what should I put on my risk register?’. As a risk is anything that can affect your business, it’s understandable that compiling a risk register can be difficult to get your head around.

Here I provide an overview to start you thinking about how to structure your risk register, and the controls you could implement to overcome them:

Continue reading Building a Risk Register