SEARCH

The new year has begun for many in earnest with the year's goals and objectives on the forefront of our minds. How will we achieve these in the presence of continued uncertainty? Which threats and opportunities should we contend with and with what measures? There are many assessment tools to help you identify risk but there are few that help you identify where and how to implement risk measures. The bow-tie analysis is one of the best and is used by many in highly-regulated, high-risk industries such as oil&gas, pipeline, chemical, and increasingly in IT and other industries. The Bow-Tie is one of their super powers to contend with uncertainty. That's why we recommend that organizations use the Bow-Tie Analysis to improve the probability of meeting all their stakeholder obligations and why you should too. Here is a list of articles and templates covering the bow-tie for you to use to help you increase your chances of mission success this year. Are Your Risk Measures Valid? Compliance versus Obligation Risk Integrated Risk Assessment - Template Lean Compliance A3 Format - Template Bow Tie Analysis - Template If you are interested in learning more please consider joining: The Proactive Certainty Program™

Risk management has for many years focused mostly on identifying possible losses and working out those probabilities. As beneficial as that might be it does not capture the full nature of uncertainty. ISO 31000 (and others) have tried to expand the definition but only go half way. They focus on the effects or better the symptoms and not the cause or the disease itself. Unfortunately, the lack of holistic approach and the negative connotations associated with the word risk, "Risk Management" is getting in the way of effectively contending with uncertainty. It's time for a change and why we no longer should only use risk. Historically compliance is considered as a means to keep risk at bay. When organizations are in compliance (i.e. operating consistently between the lines) they will in turn reduce the possibility of loss. This places compliance programs along side of the value chain with risk reduction as the goal. We have used this model in the past and in some cases it still make sense to do so. However, what we have found is that this approach tends to focus compliance mostly on conformance to rules attested by surveys and monitored by occasional audits. The goals seems to be only on "staying between the lines" and not staying ahead of risk. The lack of focus on the latter results in risk programs paying too much attention on risk identification and registers (staying between the lines) and not enough on contending with risk itself. In a sense, both risk & compliance suffer from too many check boxes and not enough action. A Need for Change Operationally, compliance at its core is the practice of meeting obligations in the presence of uncertainty. Risk management is a means to that end and more specifically, this should be the focus of operational risk management. This places the majority of risk programs: safety, sustainability, environmental, health, security, privacy, asset management, and so on, along side of the value chain with compliance as the outcome. However, compliance here does not mean check boxes. Instead, it means meeting all your obligations (conformance, performance, and outcome-based) in the presence of uncertainty. This change however is not enough in our estimation. To reflect the shift to improve the certainty of meeting obligations we have elected to call these certainty rather than risk programs. This aligns better with the ISO 31000 definition and the purpose of these programs which is - make certain (ensure) that objectives across the business are achieved. That is why we propose using the labels Certainty & Compliance rather than Risk & Compliance . There will still be a role for enterprise risk management but this should result in the creation of operational objectives that fall within certainty and compliance functions. The purpose of Certainty Programs is to keep organizations between the lines while increasing the probability of targeted outcomes and decreasing the probability of undesirable outcomes. These objectives should become part of certainty-based balanced scorecards instead of risk-based. This is more than semantics, it is a change in mindset, strategy, and focus.

The world is changing, and with it, so are the risks that businesses and organizations face. Over the last year, there has been much discussion in the domain of risk management, with many experts raising concerns about the use of risk matrices. In fact, some are even calling for their abandonment altogether, citing the dangers of relying on them to make critical decisions. The best advice, it seems, is to do nothing rather than use a risk matrix – but is that really the best course of action? The first step in understanding and managing risk is to recognize that it is a complex, multifaceted issue. It cannot be reduced to a simple, one-dimensional matrix or a set of numbers. Rather, it requires a nuanced understanding of the qualitative nature of the risk or hazard at hand. This means taking the time to thoroughly evaluate the specific risks faced by your organization and developing a comprehensive plan to address them. While quantitative analysis using tools like Monte Carlo simulations can be helpful when data is available, the reality is that many risks are difficult to quantify. In these cases, a more qualitative approach is necessary. This might involve conducting interviews with subject matter experts, analyzing historical data and trends, and engaging in scenario planning exercises to develop a more complete picture of the risks involved. The question then becomes, where is the middle ground between qualitative and quantitative analysis? How can organizations strike a balance between the two to effectively manage risk? The answer lies in a holistic approach that considers all available data and insights. Rather than relying solely on a risk matrix or other semi-qualitative/quantitative tools, organizations must adopt a more comprehensive approach to risk management. This might involve developing a risk management framework that includes a range of qualitative and quantitative techniques, such as scenario planning, risk mapping, and probabilistic risk assessments. By taking a more holistic view of risk, organizations can develop a more nuanced understanding of the threats they face and develop strategies to mitigate them. By discarding risk matrices and not having a replacement plan, organizations run the risk of being exposed to various risks that cannot be easily categorized and analyzed quantitatively. It is not enough to simply avoid using risk matrices – organizations must be proactive in identifying and managing risk.This requires a commitment to ongoing risk management efforts, including regular assessments, monitoring, and updating of risk management plans. The debate around risk matrices and their use is an important one, but it is just one piece of the larger puzzle of risk management. To effectively manage risk, organizations must take a comprehensive, holistic approach that considers all available data and insights. The stakes are too high to simply do nothing – the future of organizations depends on it.

An effective program results in changed outcomes. Therefore, for an environmental program to be effective it must perform in such a way so that outcomes are continually advanced towards the overall goal – community sustainability in the case of municipalities. For that to happen each pillar and the system as-a-whole must be operational. This means all essential parts working together to produce what no part can create on its own. We need a golden thread so to speak that runs through each environmental pillar that holds them altogether and defines what is essential for the pillar and the entire program to be operational and effective. As a current reference, The UK last year passed regulation requiring a golden information thread for building safety. This is a digital thread that will provide assurance during a buildings life-cycle that what should have been done was done. The environmental golden thread approach is an extension of this same thinking. It will provide leadership and management with the status of the environmental program, level of risk, and where investments might or need to be made across and through each pillar of their environmental program. Many do not have these tools but they are needed to advance environmental outcomes. As Elihayu Goldratt (father of Theory of Constraints) has said: "Partial implementation of a holistic approach is an oxymoron" An environmental golden thread can help ensure your environmental efforts produce more than the sum of your action plans. You can download a copy of our presentation from our recent webinar on the Environmental Golden Thread using the following link: If you are interested in learning more about how Lean Compliance can help you with your environmental efforts please book a 30 minute call with us:

In our previous blog post we considered the nature of environmental obligations from the perspective of their compliance approach and the shift from rules and audit-based regimes to performance and risk-based strategies. This week we continue our look at the nature of environmental obligations through the lens of regulatory, social, and government licenses to operate. Private and public sector obligations come from multiple sources that can be mapped to the following three type of licenses: Obligations arising from a regulatory license to operate. These come from accepting public responsibilities to behave in line with the conditions of an operating license. They tend to be mandatory and prescriptive in nature. They are often referred to as external obligations as they are imposed on organizations from external authorities. Obligations arising from a social license to operate . These come from accepting stakeholder responsibilities where stakeholder is defined in the broadest sense: employees, shareholders, communities, suppliers, customers, residence, the public at large – anyone who has a stake in what the organization is doing. These tend to be voluntary and more performance and outcome-based. They are referred to as internal obligations since organizations choose to impose these on themselves. Obligations arising from the authority to govern . These obligations are a result of accepting government responsibilities to contend with public risk. In the case of local governments they will have obligations from the previous two categories along with obligations associated with their role as regulator to inspect, enforce, monitor, and implement regulatory acts. In recent years internal obligations have approached parity and in some cases exceeded external obligations in many organizations driven to a large extent by the adoption of environmental, social, and governance (ESG) objectives. At the same time environmental obligations have increased across all categories in response to climate change. Unfortunately, compliance for many organizations focuses mostly on external obligations associated with a regulatory license to operate. This leaves a significant number of obligations, many of which are environmental, under-resourced, un-managed and at-risk. For compliance to be effective it must adapt to the changing landscape by expanding beyond mandatory and regulatory obligations to include obligations from all sources. This requires knowledge of the nature of obligations and strategies needed to meet them. Does compliance in your organization cover all your obligations?

Recently the province of Ontario experienced a thunderstorm leaving 10 dead and hundreds of thousands without power for several weeks. Waiting to act until an incident has occurred is never the best option when it comes to environmental risk. This tends to result in significant disruption and other adverse effects that might otherwise have been avoided. However, this is the approach when compliance is based on the traditional operating principles of audits and corrective actions. To get ahead of environmental risk will require a change in mindset and behaviors of the kind that we have talked about in recent years. Just as we have seen quality and safety become more performance and risk-based the same shift is happening for environmental obligations with increasing measure. This shift will require an operational model that is more than training, audits and corrective actions. It will more akin to Total Quality Management (TQM) where better environmental outcomes are designed into products and services – Environmental By Design. Organizations will need to set goals and objectives, contend with uncertainty, continuously improve performance, and make progress in the advancement of environmental outcomes. The good news is the same principles applied to TQM and Operational Excellence can be used to meet environmental obligations. It's time for environmental compliance to become operational in the full sense of the word. Are environmental objectives included in your operational plans?

There are 3 ways that we talk about strengthening defences: Reliability Resiliency Anti-fragility Reliability has to do we preventing disruption and most often by preventing failure of equipment, processes, systems, and other measures to prevent risk from becoming a reality. When reliability fails, we need Resilience to recover from the disruption created when that happens. In a storm trees need to bend and snap back and so do businesses. Anti-fragile is about getting stronger, better at what we do, as a result of disruption. This has much to do about learning and improving our defences to make them more robust. The airline industry has a strong safety record partly because after every incident they took a deep dive and learned from what happened. They became stronger at preventing accidents over time. They did not waste any knowledge that could be learned from disasters. All of this applies to meeting all our obligations and keeping our promises. We need to prevent non-conformance, recover from them should they occur, and get stronger when we learn from our experiences. What strategies have you adopted so that you endure in the presence of uncertainty? Are you abilities at keeping commitments to all your obligations getting stronger or weaker? Are you extracting all you can from your incidents?

This blog post continues our series on Cyber Safety where we have explored various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives. In this week's post we consider steps you can take to select which approach is best for you to start improving your cyber safety. 1. Evaluate Defences & Develop Improvement Roadmap The framework or standard you choose depends on the risks your organizations are currently facing or anticipating. So the best place to start is with an assessment of what you want to keep safe, your safety goals, and your cybersecurity objectives. To help you answers these we recommend first conducting a Cyber Resilience Review (CRR) which is a non-technical assessment of your current situation. This review will provide the parameters you need to formulate an improvement roadmap you could work on in a stepwise fashion over time. If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results. 2. Select Standard and Conduct Detailed Assessments Conducting a CRR will place you in a better position to select a management standard that best suits your business if you don’t already have one. You will also know if and which detailed technical assessments may be necessary to address serious holes in your defences. In our last post in this series we looked at three frameworks: Cybersecure Canada Program - this is great place to start if your exposure to cyber risk is moderate and your organization is just getting started with a cyber safety program. NIST Cybersecurity Framework - this framework has a strong technical component and best suits organizations with a significant sized IT component, infrastructure, and governance. ISO 27001 - this family of standards is particularly useful for organizations that have already adopted other ISO standards where they can leverage existing management processes and infrastructure. The results of a CRR will help you make a determination if which approach is best for you. 3. Develop and Implement Detailed Improvement Roadmap Once a framework has been selected additional detailed assessments can conducted based on the kinds and level of risk identified in the CRR along with additional considerations suggested by the given framework. The goal is to: Identify the risks that really matter. Uncover strategies and plans that already exist that contend with these risks. Evaluate if these defences are strong enough to keep what you value safe. Develop a comprehensive improvement roadmap that meets your cyber safety objectives. If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment and roadmap development process. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results. If you are interested in having a cyber safety improvement roadmap for your organization please reach out to us. Also, if you missed Part 1 of this series you can find it here .

This blog post is a continuation in our series on Cyber Safety. In this article we explore several guidelines, standards, and frameworks available to help organizations realize their cyber safety goals. We will begin with a framework from The Canadian Centre for Cyber Security followed by three from the US, and one from the International Standards Organization (ISO). Let’s start with the Canadian program. CyberSecure Canada Program The Canadian Centre for Cybersecurity is a valuable source for companies of any size who want to strengthen their defenses. On their site you will find a Cyber Secure Canada Program which is a federal cyber certification program that aims to raise the cyber security baseline among small and medium enterprises (SMEs) in Canada. The desired outcome of this program is to increase overall confidence in the digital economy, and promote international standardization that better positions organizations to compete globally, and I would add locally as well. Certification requires an implementation of a set of baseline controls (v1.2) . These provide an excellent set of initial risk measures specifically designed for small and medium sized operations. You will also need to develop a management framework to advance your cybersecurity capabilities beyond the baseline, but otherwise this an excellent place to learn and get started with cybersecurity, Next we will consider what I call, the triple threat against cyber risk: CISA CRR NIST CF DOE C2M2 Cyber Resilience Review (CRR) The Cybersecurity & Infrastructure Security Agency (CISA) created what is called the Cyber Resilience Review (CRR) assessment. This assessment is a no cost, voluntary, non-technical review to evaluate an organization’s operational resilience and cybersecurity practices. The assessment covers 10 activity areas or what you might call capabilities and is available as a self-assessment tool. It is also designed to measure existing organizational resilience and provide a gap analysis for improvement based on recognized best practices. The self-assessment tool and practice guidelines are available for free on-line. A CRR will help organizations scope out what is needed to create a roadmap for improvements along with a determination if more detailed assessments should be conducted. It is compatible with other frameworks from NIST discussed below. Next we will look at what is probably the most common framework used to manage cybersecurity. NIST Cybesecurity Framework In response to a presidential executive order issued in 2013, the National Institute of Standards and Technology in collaboration with government and private sectors developed a cybersecurity framework that focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s overall risk management process. NIST CF consists of three parts, the core, the profiles, and implementation tiers covering 5 functions: Identify, protect, detect, respond, and recover. This is a very popular framework, particularly if you are a technology and information sectors. It is risk-based and not a one-size fits all strategy intended to be adapted by organizations based on their level of risk and safety obligations. Cybersecurity Capability Maturity Model (C2M2) Program The Department of Energy (DOE) developed what is known as C2M2 which is becoming one the most important tools in assessing the cybersecurity posture of organizations in the energy sector and organizations in highly-regulated, high risk industries. C2M2 focuses on the implementation and management of cybersecurity practices associated with the information technology (IT) and operations technology (OT) which are often managed separately within these industries. C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high enough level, so that it can be interpreted by organizations of various types, structures, sizes, and industries. C2M2 differentiates between technical and management objectives across 10 domains which provides organizations with a holistic perspective and assessment of their cybersecurity program. The overall intent of C2M2 is to help organizations assess and advance their cyber safety capabilities over time. Self assessment tools and practice guidelines are also available online. Lastly, we look at what the International Standards Organization (ISO) has to offer. ISO / IEC 27001 If you already have adopted other ISO programs then this one may align better to your existing management practices. This management standard is widely known, providing requirements for an information security management system (ISMS) along with supporting standards in the 27000 family providing guidance on individual capabilities and practice domains. This standard provides the ability to leverage your existing management structure (assuming that it already aligns with other ISO standards) to support technical processes needed to address cybersecurity risk. Third party certification is attractive to companies as it provides some evidence that they are treating their cybersecurity seriously. Summary We have looked at various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives. Now, which one should you use and if you are already are using one, how do you improve your effectiveness and improve your cybersecurity performance? Answering these questions will the topic of our next blog post on cyber safety so stay tuned.

When we hear the phrase cybersecurity many things may come to mind. You might think of such things as: Viruses and malware Email spam Phishing attacks Ransomware You might also think of things more technically in terms of: Internet, Internet of Things (IoT) Networks Firewalls VPNs Antivirus Software Passwords You might also think of things in terms of what is at stake, such as: Financial loss Loss of identity Loss of reputation Loss of business or the loss of your business Each of these groups represent the kinds of things that need to managed holistically, together, as a system, and pardon the pun, without any holes or as they say in the cybersecurity world, vulnerabilities. But what happens when vulnerabilities are exposed and what is valued is not protected? The LifeLabs Breach To explore the concept of cybersecurity and to bring the topic closer to home I thought it helpful to look at the LifeLabs breach that happened in Canada in 2019. Here are some of the key facts surrounding the event: This was the largest breach in Canada resulting from a ransomware attack 15 million people across Canada were affected by the theft of their private data. LifeLabs is reportedly facing lawsuits (in the billions) and certainly a loss in reputation and perhaps, maybe more. In recent weeks, I received an email from LifeLabs which was also sent to others affected by the breach. This latest communication outlines LifeLabs latest response in the wake of the ransomware attack. In the letter we read that LifeLabs has now: Appointed CISO (Chief information and Security Officer) Added CPO (Chief Protection Officer) and CIO (Chief Information Officer) Investing $50M to achieve ISO 27001 certification (international standard for information security management) Engaged third-party to evaluate their cybersecurity program Established an information security council Strengthened their detection technology Implemented yearly security awareness and training This certainly sounds substantial and it is. However, what this list of actions also tells me is that they had very little in place prior to the breach in terms of management accountability, oversight, standards, or anything that would let them know how well they were doing with respect to protecting patient data. It is good to see that they are addressing these now, perhaps, too little too late; time will tell. What we do know is that it will take time before these changes will significantly impact the improvement of their defences which they should have started to do years ago. Cybersecurity Risk Landscape When we look across the cybersecurity landscape one can make the following observations with respect to risk: Threats to people and things we care about are all around us and perhaps always will be. The risks that matter are connected with what is valued, and there are plenty of bad actors who are interested in what we value. The conditions for cybersecurity risk are also increasing, specifically now as more employees are working from home than ever before. Every company has a cybersecurity program, some are more effective than others. Cybersecurity is not only a technical problem; it is a business problem that requires a business solution. It is the last one that needs to be highlighted, underscored, and acted on the most. Cyber risk is a real threat, involves technical measures to address but is foremost a business problem that requires a business solution. LifeLabs' failure to prevent a breach was a failure in leadership and management which they are now attempting to address, and not necessarily a failure in their technology. Leadership intention and management commitment are needed for companies to keep the dragon of uncertainty from penetrating their defences and stealing their gold in whatever ways that is defined. Lack of Intention It used to be said that: There are two kinds of companies: those that have suffered a cyber-attack, and those that will. But now, we say it this way: There are two kinds of companies: those that have suffered a cyber-attack and those that don't know that they have. When they do find out it is often too late, and the effects too severe for many companies to survive its effects. Waiting until you have been breached to improve your cybersecurity defences is probably not the best business or technical strategy. However, many companies still take the wait and see approach. So what might motivate organizations to be more proactive with respect to improving their defences? Companies might consider a legal motivation. Regulations do exist and are expanding to compel organizations to establish adequate programs and measures. However, they are have not kept and fall short to adequately contend with cyber safety. Waiting for regulations to tell you what you must do will mostly likely also be too late. Improving cybersecurity defences is beneficial to reduce insurance costs, improve efficiencies if done correctly, and prevent disruptions which contributes to greater resiliency for your business. While these are all valuable outcomes, they are often considered as goals that are worked on after all other objectives have been met. Keeping what you value safe and protecting against lost can also be a power motivator particularly when it involves the safety of people and their livelihoods. But what lies behind all our motivations, is our intention. It is a company's intention that ultimately determines the effectiveness of their cybersecurity program and motivates improvement that are made. Research has shown that intention significantly determines what is accomplished. If your intention is to achieve ISO 27001 certification, for example, then that's what you will get, most likely, but you will most likely not improve your cyber security. However, if you want to improve your cyber security and choose ISO 27001 as the means to do that, then you will not only receive your certification, you will most likely improve your cybersecurity as well. You will get both. Where you aim determines what you achieve. Which is why organizations need to choose their goals well including those to improve cyber safety. In our next blog article we will look at various standards, guidelines, and strategies companies are using to address cybersecurity risk. #managedcybersafety

One of the powers of technology is its ability to externalize the means to achieve our ends. This is one way to evaluate what is happening with AI. It is externalizing the means by which we learn to the point that we don’t need to learn ourselves. What if meaning is found not by having the goal of our desire but instead by our participation in the means to make it happen. This makes the ends even more worthwhile because it is something we accomplished by our own agency, effort, and courage. Something to think about.

Value Stream Mapping (VSM) is a widely recognized and adopted lean management method used in various industries and domains including compliance. While many organizations focus on the tool itself, the true power of VSM lies in its ability to address complex problems and drive transformational improvements. In this blog post, we delve deeper into the essence of VSM and why it's crucial to move beyond the surface-level application of the tool to unlock its full potential. Understanding Value Stream Mapping Value Stream Mapping is a systematic approach to analyzing the current state of a process and designing a future state to deliver a product or service from its inception to the customer. It visualizes the flow of materials, information, and activities, highlighting value-adding and non-value-adding steps. By mapping the entire value stream, organizations gain a holistic view of the process, enabling them to identify bottlenecks, and waste but also areas of risk and compliance improvement. Beyond the Tool: Problem Solving with VSM VSM is not merely a visual representation of a process; it is a problem-solving tool. The true power of VSM lies in the subsequent steps after mapping the current state. While understanding the problem is the first step, it is through effective problem-solving that organizations can leverage VSM to drive significant improvements. Many organizations tend to focus on easily solvable issues or low-hanging fruit , resulting in incremental benefits. While these improvements are of some value, they do not maximize the potential of VSM. To truly exploit the power of VSM, organizations must have the courage and determination to address the hard problems that lie beneath the surface. Transformational Outcomes Organizations that choose to tackle challenging problems more likely will experience better outcomes. By focusing on the problems that really matter, they can initiate transformational changes in their value streams that go beyond eliminating waste and reducing lead times. They will also improve outcomes associated with quality, safety, security, sustainability, and ultimately stakeholder trust. Taking a proactive and comprehensive approach to problem-solving with VSM allows organizations to identify and eliminate root causes rather than simply treating symptoms. This will promote a culture of continuous improvement, fostering innovation, and driving sustainable change. Using VSM Strategically To extract the maximum value from VSM, organizations should adopt a strategic approach. Here are a few key considerations: Problem Prioritization : Identify the critical problems that have the most significant impact on the value stream and prioritize them accordingly. By focusing resources on these areas, organizations can achieve substantial improvements. Cross-Functional Collaboration : VSM involves multiple stakeholders from different departments and levels within the organization. Collaborative problem-solving encourages diverse perspectives, enabling the identification of comprehensive solutions and the alignment of goals. Continuous Improvement : VSM is not a one-time exercise; it is an ongoing journey. Regularly revisit and update the value stream maps as new challenges emerge, and continuously seek opportunities for improvement and risk reduction. Value Stream Mapping is a powerful tool that goes beyond its visual representation. To truly harness its potential, organizations must shift their focus from the tool itself to the problem-solving aspect. By addressing the hard problems, organizations can drive transformative improvements, eliminate waste, reduce risk, and achieve better outcomes associated with safety, security, sustainability, quality, and ultimately stakeholder trust. Strategic utilization of VSM, combined with a culture of continuous improvement, can pave the way for sustained success in any industry or domain. So, let's not just adopt VSM as a tool, but let's exploit its full potential to improve the probability of mission success.