Wednesday, November 25, 2015

World Enough and Time

As I back into the Thanksgiving holiday weekend, global risk has never been higher. There is really not a clear beginning to Daesh, the organization that calls itself The Islamic State or ISIS.  We do know that a caliphate was declared in 2014 after the group broke away from others with similar intentions in the Mideast.  Since the caliphate was declared, the threat from Daesh has spread from the Mideast into other parts of the world, most recently into Paris about ten days ago.

We can analyze where Daesh's money comes from, and how sophisticated its use of social media is, but in point of fact we are dealing with terrorists, fanatics whose goal is to reform the world, to remake it free of the perversity, corruption and heretics it condemns with words from Islamic teaching.

In February I published a piece in The Risk Universe suggesting that the NSA and Anonymous team up to take down financial supply chain lines that fuel Daesh's operations.  Formally, only Anonymous has responded, taking down over 20,000 Twitter sites that are used to recruit young people or pass on propaganda of one sort or another.  I know that NSA and other American intelligence operations have stepped up their efforts online in the last week, and hope that the Pentagon is not far behind, despite those overly optimistic "We have contained ISIS" messages that were being sent out by higher ups.

So tomorrow is Thanksgiving.  I wish each of you a lovely day, one with time to reflect on just how very fortunate we are to live in a country that has a constitution and amendments to protect basic human freedoms, of late to protect those freedoms against political ignoramuses.  Blake has a poem called "The Grey Monk," in which he talks about the cycle of tyranny, and how very easy it is to become (a fanatic) what you behold (fanatics, terrorists, hate crimes), and "become a tyrant in his stead."

Ignoramuses abound.  Do we think that all Christians are members of the Klu Klux Klan?

 I'll be writing more on this topic for the December newsletter; and also for a January piece in The Risk Universe.   In the meantime, you might wish to review this excellent article from Continuity Central by my colleague Peter Power, in which he  has excerpted simple "Stay Safe" checklists for everyone. 

Monday, October 5, 2015

"Collective decision-making, extended kinship structures, ascribed authority vested in elders, flexible notions of time..." (Barnhardt, 2002)

So I teach one other class this quarter, another new one for me called "Foundations of Information Management," to mid-career students on Friday late afternoon, for three hours.  I'm following most of the readings and many of the assignments created by my colleague, Michelle Carter, who wrote the original syllabus for the course and then updated it this year.

Bighorn Medical Circle, Wyoming

But for the first class I wanted to try something else:  to look at the very first forms of information management by indigenous people in this region.  I used two essays, recommended by Emeritus Associate Dean Cheryl Metoyer, herself a Cherokee.  I could not find an expert in this particular field to be a guest speaker, so I led the discussion myself -- and it actually worked out very well, with robust conversations around both readings.  There are 19 "mid-career" students in the graduate course, which means they already have some notion of how to create a conversation and then extend it.  The multiplicity of backgrounds will make this quarter very interesting.

In the third hour of class, we looked at the issue of email records retention, in part because it's in the news right now, but also because each of the course members works for an institution that has some sort of policy.  The Supreme Court ruled years ago that corporate email belongs to the company, not to the individual.  Because of the demand of our fractured work life, some find themselves forwarding corporate materials to their personal emails so they can work from home on the weekend or in the evening.  What kind of risk does this create for the company?

More on that later.  Let me finish by saying I have never had such a congenial group of students as those in these two courses this quarter.

Tuesday, September 29, 2015

Let the adventure begin!

"The revolutionary idea that defines the boundary between modern times and the past is the mastery of risk:  the notion that the future is more than a whim of the gods and that men and women are not passive before nature.” (1)

"The ability to define what may happen in the future and to choose among alternatives lies at the heart of contemporary societies.  Risk management guides us over a vast range of decision-making, from allocating wealth to safeguarding public health, from waging war to planning a family, from paying insurance premiums to wearing a seatbelt, from planting corn to marketing cornflakes.”  (2)
Both of the quotations above are from Against the Gods: The Remarkable Story of Risk by Peter L. Bernstein, the first couple of chapters of which I am using in the new enterprise risk management course I am teaching to informatics undergraduates this quarter.  I thought it would be a good idea to give them a quick survey of how things stood before 1200, and then to see what Renaissance thinkers improved.  They're reading these chapters (not the textbook for the course) up against the 2014 University of Washington Enterprise Risk Management Report to the Board of Trustees.  

In this first class, it will be my job to explain also what an "enterprise" is, given that many undergraduates do not seem to be aware of the role that public and private companies play in our society.

Students will also draw out of a hat to determine what historical risk event their team will be responsible for presenting to the rest of the class during the quarter.  See what you think, and whether you think anyone will be falling asleep during class.  I'll report back later this week, when I describe what I'm doing in my graduate course that I've never taught before.  In the meantime, here are the seven events I've selected to go into the hat tomorrow.

 Hurricane Katrina (2005) – November 2

London Transit Bombings (2005) – November 16

Deepwater Horizon oil spill (2010) – November 23

Office of Personnel Management data breach (2015) – Oct. 2

Oso landslide (2014) – October 7

Edward Snowden and Espionage Act violations (2013) – Oct. 12

Destruction of the World Trade Center (9/11/2011) – Oct.19

Friday, August 28, 2015

Where are we now? How do we move forward?

One of two cornerstones of the National Academy of Arts and Science.
This weekend marks the tenth anniversary of Hurricane Katrina, an event so significant that the practice of emergency management by the federal government was changed forever.  Today marks the 54th anniversary of the March on Washington where Martin Luther King, Jr. gave his famous "I have a dream" speech.  It is the 60th anniversary of the vicious murder of a Chicago boy, Emmett Till, when he visited relatives in the South and whistled at a white woman.  Two days ago, a TV reporter and cameraman were shot dead in the head on a morning news program by a killer who then posted video of the murders to social media.  In a 23 page suicide note, the only thing that the murderer left out of his message was the similarity to ISIS acts of terror that also take place in living color and then get posted to social media sites.

While the federal government has completely reshaped its responses to disasters, we can't really pat ourselves on the back where equality and justice that Reverend King was looking for is concerned.  The situation has never been worse in this country where distrust and anger are concerned, and the gap continues to increase between those who have and those who do not.

The situation appears intolerable also where gun control and mental health proposals go unfunded and unapproved.  The National Rifle Association (NRA) continues to have a lock hold on our elected officials where even the simplest forms of information sharing are concerned -- registering guns and sales of guns in such a way that federal and state police databases are interlocked to detect those with criminal or mental health histories.  Why is this passing bare bones legislation that could trap for lowest hanging fruit so difficult?  What do we need to do to be heard?

The interior cornerstone at the National Academy of Arts and Science.
The worst of it in all this is that each episode seems to set off more disturbed people in what are called copycat events.  Just as those who ride trains every day are probably now more aware of their environments after the events of last weekend on the Amsterdam-Paris train, I suspect that every news person will feel their own heightened anxiety for at least the next several months.

Given the flammable nature of public discourse on so many issues these days, especially with presidential politics starting make things worse, I would suggest that we need to find new ways to move the discussion on gun violence forward, to see if it is possible to affect real change on this issue and on the issues involving equality and justice as well.

Wednesday, July 29, 2015

Earthquakes and the Pacific Northwest

We live in one of the most beautiful places in the world.  Most of us don't like to think about earthquake risk on any consistent basis.  Some of us have ensured that our homes are tied down to their foundations; and that we have an emergency supply kit as well as a family plan for how to find one another if our smartphones won't work.  And that we have emergency supplies in our vehicles and our offices as well.
Emergency kit in our home includes basics as well as a spreadsheet of vital information.

Emergency supplies in my trunk.

A little more than a week ago, the New Yorker published an article by Kathryn Schultz that has caused a great deal of panic and anxiety.  She published a second article this week, attempting to refine the ghastly overly dramatic tone of the first piece; and this time to offer some pretty straightforward recommendations on preparedness at

Other perspectives on how prepared we are here in the Pacific Northwest can be found at; or on the website of the Seattle Office of Emergency Preparedness at

I will say that any articles written about preparedness move the bar a bit higher in terms of neighborhood and civic preparedness.  For myself, I'm changing out some emergency supplies now that I no longer eat much else than greens, beans, other vegetables and fruits.  Once this heat spell is past, I plan to be growing more than Walla Walla onions and green peppers.

How prepared is your family to live without services or support for up to a week?

Do what's reasonable, and then relax -- go out and enjoy this, the most beautiful place in the world!

Wednesday, July 1, 2015

Personal risks and rewards

When I teach operational risk courses, I try to stress that life (and business) is full of risks; and that taking risks with confidence moves you forward, whether you are a family or a business firm.  I had a chance last weekend see that premise manifest itself exactly.

Some of you know that I was born in a small town in Northern Iowa, our family of four part of a larger interwoven group of four Irish Catholic families residing among Scandinavian Protestants.  My great-great grandparents had emigrated from Rathkeale a week after being married in 1861.  My grandfather ("TJ" Hayes) was born in Illinois, but moved to Iowa, where he farmed, bought and sold horses, and raised seven children with his wife, Anna Quinn.  Each of these large moves, from Ireland to Illinois, and from Illinois to Iowa, brought forward momentum and better lives.  Though TJ's grandchildren and great-grandchildren have scattered to many parts of the world, 80 of them returned to celebrate their history and close connection at my cousin Jim Hayes' amazing home in Iowa City this past weekend.  This is the eighth such five year reunion that Jim has hosted, which makes it 40 years old.  He spoke movingly of the four families whose lives intertwined from those first days in North Central Iowa:  the Hayes family, of which I am a member; the Morrissey family, connected through Jim's father's marriage to Alice Morrissey; the Newman family, connected through my Aunt Teresa's marriage to George Newman; and the Barrett family, connected through Nita Morrissey's marriage to James Barrett. 

This photo is blurred but will give you an idea of the volume still present of those four families on this earth.

There are roughly 80 of us in the photograph.

Here's one of the first cousins at the reunion.

Again, a blurred photo, but you get the idea.  These are relatives I have known my whole life.  Each of them has extended the momentum started so many years ago back in Ireland.

Finally, for historical context, I wanted to show a circa 1930 photo of TJ and Anna and their children, some of whom had already married by this time. 

 My mother, Margaret Cecelia Hayes Sowers, is sitting fourth from the right in the first row.  Her father TJ is sitting front row sixth from the right.  My Uncle Jim Hayes, father of host James P. (also Jim) Hayes is first row on the left. Grandma Hayes is middle row, second from the right.

I come from generations of risk takers, each finding its own personal rewards in lives well lived.  It probably explains to some extent how I ended up at this point in my life as a risk detective and as a university lecturer on ethics, policy, law and risk.

Wednesday, June 24, 2015

Influencing the next generation of risk managers

We've had a busy spring, with cyber hacks continuing to hit not only the private sector  but the government as well.  The most visible breaches took place at two health insurers -- Anthem in February and Premera Blue Cross in March -- and the federal government, where what looked like one breach in the Office of Personnel Management that was detected this spring has turned into at least two large breaches, the other being of security background check information that has evidently been going on for some years.

I spoke last week at SecureWorld Portland, covering some of this information, but mainly to show how to present requests for cyber project funding to executives and to boards.  That engagement came just after the end of the University of Washington academic year.

This summer, we've got a couple of large projects on the ASA side to take care of.  The first is an upgrade of the ASA website, to better reflect the proportion of time I'll be spending over the next years on research and publishing, with a lesser emphasis on consulting.  We've also got a third volume of the Reflections on Risk series to publish.  And I'm trying to put together my speaking calendar for the next year, especially those portions that involve travel.

I become a full time lecturer at the University of Washington's Information School in August.  I'll be developing syllabi for two new (for me) courses I'm teaching this fall.  The first is the mid-career graduate course called "Foundations of Information Management."  The other is my first foray into teaching undergraduates, in a course called "Enterprise Risk Management."   I am really looking forward to both, since it will give me a chance to review and tweak my two graduate risk courses at the same time.

Part of my work at the university involves committee service, and I look forward to work on enhancing the Master of Science in Information Management (MSIM) program offerings. Here's a photo of me with several of my mid-career students in academic regalia at the iSchool Convocation 2015 program in Meany Hall.

  Left to right:  Andrew Magnusson, Matthew Christian, and Kenny Lee.

I am proud of all my students.  They are the next generation of risk leaders.

Thursday, May 21, 2015

ASA is six years old

ASA Graphic Designer Jesse Brown
Me and my closest advisor, Lauren Du Graf, wrote all the content for the site, found and furnished the ASA office, and double checked all our perceptions on what this website should be between May and July.

First and Union website developers: Sherry Stripling, Rick New, Molly Martin
My friend Fred Pursell told me that it takes six years to establish a consultancy, and it appears he was right.  After a month long train ride around the country to spend time with friends and decide what I wanted to do next, I filed for articles of incorporation for ASA in May of 2009.  The percentages of my time allocated to various parts of the firm have varied these past six years, but never the two sides of the company.  There is the advisory side of the firm, where we consult with clients that are part of the nation's critical infrastructure; and there is the research side of the firm, including the ASA Institute for Risk and Innovation, that includes publications, public speaking and advocacy and, in some cases, lobbying on behalf of legislation or public policy.

I've really never looked back.  And while I am cutting back on the advisory side of the firm in order to teach full time at the University of Washington starting in August, my interest in how firms behave, in how they practice risk management, and in information-sharing between public and private sectors is still unabashed.

 Carpe Diem!  I can't wait to see what the next six years will bring.

Thursday, April 30, 2015

Bright spots

I read recently that sugar reduces the amount of cortisol your body produces under stress.  It makes perfect sense when you think about it, and before they even ran clinical trials -- but based on the last several weeks, I would say that the world gives us more reason than ever to produce the cortisol.

Whether it is the catastrophic earthquake in Tibet and the loss of both human life, property and cultural heritage...or the devastation in Baltimore, a byproduct of an anger that has been festering for years...or simply personal challenges we all face in our work every day, we need to reduce the cortisol. And there are no easy solutions.

I have found generally that doing what I love evens most other risks (including cortisol) out. I love sharing what I know with others, so being a guest luncheon speaker for the Washington Association of Continuity Planners (ACP) gave me back energy when I spoke on leadership and professionalism.

Earlier this week, I led a panel discussion on "Access, Privacy and Information Risk" for the iSchool's iAffiliates Day, held this year most appropriately at the downtown branch of the Seattle Public Library.  My panelists were high bandwidth and compelling -- Jim Loter, who is the director of IT for the library; Bryce Newell, working on his PhD in the iSchool, who discussed his work with body cameras, public disclosure and Washington State Law; and Aaron Weller, director of privacy and security in the Pacific Northwest for PriceWaterhouseCoopers.  You know that it has gone well by the count of hands in the air to ask questions.

Now I'm getting ready for another kind of thrill -- today's guest speaker in my advanced risk seminar is Mike Howard, Chief of Security at Microsoft.  He's had at least two other professional careers before he arrived at Microsoft, and they play continuously into the work he does globally now.  He is a well-known and respected speaker inside and outside security circles on topics of leadership and policy.

"In the zone."  "Doing what you love."  Both good recipes for cortisol reduction.  Find those bright spots.

Thursday, April 16, 2015

Keeping It New

One of the challenges I face in teaching carries some risk.  That's the challenge of keeping the content refreshed, and bringing the same level of excitement each time I teach the course.  I first taught each of my operational risk courses as "special topics," and have been teaching them as permanent electives for a couple of years now.  Each of the courses lends itself to updates in the reading material, especially based on recent or current events.

But for the students the challenge is in learning how to have a conversation about certain types of risk, how to make an individual assessment and then provide recommendations for a course of action.  We use a couple of different kinds of skills in class:  discussion among peers, facilitated discussions, presentation by example (myself, themselves, and our guest speakers); and writing for an executive audience.

Along the way, we've had to deal with what it means to be present and contributing in class as a seminar member.  I ask that students listen respectfully, with their laptops turned off, to the presentations.  There are so many challenges for their attention, or for my own, that many of us who teach have reverted to showing them studies of how much more effective it is to take notes by hand rather than on the computer -- assuming that what you were doing was taking notes rather than (for example) checking Facebook or Twitter.

There is so much pressure on students to do well that I think it's also important to stop and smell the roses along the way when you can.  Today we're discussing a variety of articles,  including several that purport to explain behavior, of both rogues and executives.  What happens to the calm, rational process of decision making when you are under pressure?  Do you take bigger risks or do you take the most cautious approach?  I think you'd be surprised at what some of the studies say.

Monday, April 6, 2015

Is it possible to manage our privacy?

 I apologize for the long interval between my last post and this one.

Those who've read Advice From A Risk Detective already have a good sense of what I advise in terms of your online privacy.  But here's a short piece I wrote for a Seattle magazine, The Connector,  that hits the high points.

Thursday, February 5, 2015

We are the architects of our city -- creating the City of Seattle's Disaster Recovery Plan

Last week, students in my risk seminar heard from UW seismologist Bill Steele, in particular about the Cascadia subduction zone we live in, including what advance planning and management of risks associated with a major earthquake can be done in advance.

This week, students will hear from Erika Lund, who oversees the City of Seattle's Disaster Recovery Plan, which is an entirely different framework from which to view a disaster.  Among the questions asked of  the Executive Advisory Group, to which Mayor Ed Murray appointed me, were:  how will the Seattle community handle short and long term recovery efforts?  How can we return our economy, education system, social service network, and other vital aspects of our community to full function?  How can we use a disaster as an opportunity to rebuild our community better than it was before? Who is responsible for making such decisions and with whose input? How and when will they be made?

Erika will describe the planning process today and talk as well about the identification of the core values that are a part of the plan.

Someone asked me yesterday if I don't find the world a very depressing place.  I answered that I do not, in part because of inspired work like this, and the people who give their time to do it.

Monday, January 26, 2015

Juno, we're looking over your shoulder...

Juno (Latin: Iūno [ˈjuːno]) is an ancient Roman goddess, the protector and special counselor of the state. She is a daughter of Saturn and sister (but also the wife) of the chief god Jupiter and the mother of Mars and Vulcan.

Central Park today. Instgaram Photo, Andrew Lee Taylor

Northeast public officials have declared states of emergency in advance of Winter Storm Juno, which is likely to cause significant inconvenience and perhaps dangers to public safety as well -- though that is certainly the point of the emergency declarations.

Of all the stories I've seen, the most charming is from The New Yorker's Andy Borowitz, who trumpeted "FEMA Warning:  Internet Outages Caused by Blizzard Could Force People to Interact."  He's right, it could be a golden opportunity to lay down the technology and spend some time with family, neighbors and friends...and your generator.

Hopefully those who could be affected have stocked up on food, water, batteries, diesel (for the generator), and have made a trip to the library so as to have real books on hand to read.   And a battery-operated radio as well, so as to understand how long the storm will persist.

Monday, January 19, 2015

Attention Deficit Disorder and Risk

Here's an interview with me that PR for People's The Connector magazine published last month, in which I opine on a variety of operational risks, including your own personal risks.

Dear Member of the Board

Here's my latest column for The Risk Universe, that makes some recommendations on how boards of directors can up their game where corporate oversight is concerned  It's called "Dear Member of the Board."

There's a lot of responsibility in any corporation at three levels in particular: senior management, the C-Suite, and boards of directors.  Since the Sarbanes-Oxley Act charges boards with a range of responsibilities, understanding them and just how one can become a smarter board member is essential.

Wednesday, January 7, 2015

Terrorism in Paris

Another blow this morning to public safety and to the role of satire in our society.  It appears that the terrorist attack and killings were yet another attempt to increase the distrust of large Muslim populations in Europe.  We each are diminished by such slaughter.  The image above is from Twitter.

I'm trying to stay on task despite the events in Paris.  I've finished and shipped a new article titled "Dear Member of the Board" for the January issue of The Risk Universe magazine.  I've accepted two new speaking engagements. And I'm about half way through my lecture notes for the first class in my introductory risk course for UW graduate students tomorrow evening. 

My column for this month's issue of ASA News & Notes will be the next project in the queue, and will look more closely at the increasing reach of terrorism.