Saturday, May 12, 2007
Risk Avoiders
Explaining the preferred method for dealing with risk, Clinton said "“We’ve got to try to avert disasters—not just be prepared to bomb somebody if a disaster occurs.”
In many respects, the former president's statement not only reflects two terms of that witnessed excessive avoidance of growing international threats, but also illustrates an approach that is increasingly common in corporations respective to operational risk. The sirens call of risk prevention is an enticing one, leading many into false hopes of the avoidance of all things bad. Indeed, some argue that much of the foundation of current progressivist thought is one based upon this avoidance philosophy.
Unfortunately for these optimistic believers, when outlier risk events ultimately occur, the theory fails them and rational response measures are lacking. Instead, false causations are usually established and scapegoats found and punished. "If only we tried harder to prevent it and had more money to do so" is the conclusion presented in response to the inherent failure of the prevention strategy. Usually, such systems perpetuate a significant decline until the participants recognize the folly of a prevention-only rhetoric.
For those less familiar with the pedagogy of risk, the former president's perspective can be described as one that believes the significant risks are outside the system and subsequently can be prevented. In risk nomenclature, this is known as exogenous risk, or risk that is "external to the system." The opposite believe, that risk is inherent to the system, is known as endogenous risk.
In many operations environments, managers are likely to find a pronounced exogenous-believing, risk-avoiding culture. Assets are deployed for risk prevention. In my information security experience with community banks, this corresponded with purchases of network firewalls, host firewalls and the application of software patches as the overwhelming majority of the information security budget. Methods that detect risk were a small minority of the budget, usually limited to the periodic review of log files, while more expansive detection and response capabilities were simply nonexistent. Managers sought to believe that risk was outside the bank's information processing environment and could be protected by barring the virtual doors from threats. (in firewall culture, some refer to this as the "Great Wall" strategy where all defenses are focused on a single great barrier between the exogenous Internet environment and the company's internal network).
In the event such a threat either passed through the barrier, threats usually magnify quickly, finding homogeneous environments in which to spread. Companies often operate the same type and version of operating system (at the same patch level) on their servers, administrative usernames and passwords are often the same, and defense approaches on servers identical. Once the threat has defeated one system's prevention capabilities, it has defeated them all. Only detection and response remain, but as we've seen, these have been neglected in many environments.
Addressing this disparity requires the adoption of a philosophy in the business culture that risk is endogenous, e.g. "bad things can and will occur." Instead of fearing and seeking to ban all fires, a balance is made between cost-effective prevention and effective detection and response capabilities. In the information security practice, this balance is well supported by best practices communicated by numerous professional and regulatory bodies (e.g. the ISACA and the ISC2). In fact, a risk management approach I've found successful in smaller operational environments has been one that closely evaluates risk prevention systems in order to locate aversion-bias and the occasional behaviors that cause leptokurtic skew of the organization's risk environment. Overconfidence in prevention appears to be highly associated with operational risk leptokurtosis.
Additional options may emerge, including one under evaluation in my research that focuses on the application of settlement processes (e.g. marked-to-market) to operational risk that support real-time risk recognition, similar to the daily settlement of futures positions found in futures markets. In such systems, the consequence of a risky position is felt quickly and usually with a moderate impact, providing the organization with immediate feedback. I'll be commenting more as this model evolves.
Saturday, May 05, 2007
The "Me" Generation Cashes Out
Recently, leveraged buyout activities converting Fortune 500 public firms to privately held assets at the expense of firm cashflow and intellectual capital have escalated to new heights. With the carrot of a one-time gift of a few dollars per share, LBO firms obtain ownership of their targets financed by cashflows that a more visionary executive would be directing into innovation. Most of the LBOs I've analyzed have some interesting characteristics:
- Retiring senior executives seeking a massive cash pay-out that normal retirement options do not provide.
- Healthy cashflows that have been wasted by the senior management's lack of interest in the "next 20 years" and instead make the company a huge LBO target. That many LBO events occur with the full participation of senior management in companies with excess, under-utilized cashflow is no mistake.
- Stock prices that are undervalued for the cashflows in an economy that continues to value excitement (e.g. Goggle) or short-term gains over long-term strategy and fundamentals.
Given that everyone seems to be sharing in the massive cashing-out of U.S. productive infrastructure, where's the problem with this cash party? Unfortunately, when a firm gives away its core competencies to foreign firms for a little cash, little remains other than short-term returns. In a sense, retiring executives are pawning the intellectual capital developed over 150 years of U.S. industrial effort for personal riches and a few dollars to coerce the shareholders into supporting these efforts. For the early movers, it certainly is a lucrative strategy, as Chinese, Indian, Malaysian and other developing market firms appear to overpay for the opportunity to assume U.S. operations and commensurate know-how. A few billion dollars invested bypasses 50 or more years of economic struggle, guaranteeing both advancement in operational knowledge and cashflows to sustain the growth from the U.S. firm that is liquidating its productive capacity.
However, this portrays a grim future for U.S. mid and large cap firms. Consider what the S&P 500 will look like in 20 years, having liquidated all of its manufacturing, innovation and production operations. Forget about sustaining an information economy, as sectors other than entertainment*, healthcare, pharmaceuticals*, utilities, corporate agriculture and professional services (mostly legal and financial) will no longer have any domestic function. Domestic production outside of the agricultural sector will cease. Worse yet, automation of much of the agricultural sector and continued support by both political parties for low-cost immigrant labor for that which isn't automated leaves little employment opportunity. Lacking any sector to serve as an engine for the domestic economy, the long-term prognosis isn't optimistic.
For the "Me Generation" boomers, the cash-out is exceptional as it not only liquidates their improvements, but those of the predecessor generations. Worse yet, this generation has seen it fit to assume excessive long-term foreign debt to provide for low-cost prescription drugs (which they are most capable as a demographic in paying for), have poured trillions into ineffective social programs consistent with the counter-culture philosophies of their youth and rung up unsustainable foreign-financed Federal and trade debt to sustain their lifestyles. While those of the great generation would certainly be horrified that their children are pawning the product of their efforts for mega-sized second homes in Palm Springs, the boomers are fortunate to be mostly immune from their criticism.
So what's left for a liquidated economy? It'll be interesting to see what sectors survive. Younger generations still possess creative ability, but have been impaired in mid-to-large cap firms with the glut of senior-level boomers who've yet to retire. Certainly, some of the larger firms might be salvageable and some of their intellectual capital restored. Overall, it is most likely that if the economy is to recover its productive capital, this development will emerge from today's small to micro-cap firms. Once leveraged to the hilt in debt and having seen its intellectual capital sold off oversees for pennies on its true value, today's S&P 500 is unlikely to have much value in the long-run.
* Even these sectors are seriously threatened by emerging economies that refuse to recognize the intellectual property laws that provide for return on investment in entertainment and medical innovation, as Thailand and Brazil have recently shown us. Even U.S. energy firms aren't immune from this risk as foreign markets like Venezuela and Ecuador refuse to recognize property rights and seek to capture the financial returns for themselves.
Thursday, May 03, 2007
Schneier's quest for infosec perfection
As an econometrician employed in the information security industry for one of the largest financial processors, I found Bruce's perspective both shocking and unfortunately not atypical. Bruce inadvertently touches on the fact that many executives and decision-makers elect to increase the probability of negative outlier events in their information security environment by naively expecting perfection in the inputs. It is little different from Dr. Deming's infamous "Red Bead Experiment" where manufacturing perfection would occur if only the darn employees would listen to management's directive specifying perfect output.
Having served as a bank IT auditor in my previous capacity, I had countless interactions with bank managers who couldn't comprehend why the expensive, proprietary banking software system with an outlandish maintenance contract could be exploited with trivial efforts. "We pay them good money for that system to be perfectly secure!" Nor could they relate to the need to replace servers every three years, the very moment they went off of capital lease (instead, milking the asset for a few more free years of operation, at the expense of some hefty assumed catastrophic risk).
In all of these cases, perfection was usually demanded, yet the reality of human imperfection ignored. The very environments that lacked the financial and personnel resources for appropriate compensating controls in separation of duties had even higher expectations of their technology assets to provide perfection that magically absolved the risk from these limited resource decisions. Increasingly, I found the seeking of technology perfection to be a risk aversion behavior that was common when a manager was overwhelmed by the always changing, never comfortable enterprise risk environment.
Much of my independent work is on a model that anticipates this less-than-rational dynamic and provides a framework for controlling the risk (such as measures that reduce leptokurtic fat-tails where the math becomes rather fierce and the quantified financial impact analysis becomes absurd, instead pushing it towards a normal distribution of risk that lends to traditional risk management techniques). Instead of pursuing the path of avoidance by expecting perfection as Schneier has outlined, successful systems will recognize that risk is endogenous. Once we've accepted that condition, we can focus our efforts on more successful measures that handle it and keep most of the risk behavior controllable and manageable.