Welcome back!  A warm new year’s greeting is extended to all our clients and friends.  We are back after an pleasant and relaxing break with families and hope that those of you now back from enjoying the holiday season in the Oz sunshine are well tanned, recharged and as excited about the coming year as are we (well minus the tan because it, well… rained… a lot).  To those of you in the northern hemisphere blessed by snow we hope you had the opportunity to relax beside a crackling fire and laugh with good friends.   

We have started work on a long list of  new features and enhancements to our governance software suite: BPC RiskManager, and, assuming the world doesn’t come to an end this year, we think you are going to like what is coming – but more on that in future posts. 

Our four main service lines -  Software Sales,  Custom Software,  Survey Hosting and Consulting have opened the year with the strongest bookings in a number of years so 2012 looks like it will be an interesting and busy year.  The Custom Software and Consulting teams are now fully committed for the first quarter (obviously sales and hosting don’t have capacity limits) , which is a good way to start the new year.  

2011 was a great year at BPC, and we thank you, our clients and friends for your on going dedication and support – without you we don’t exist.  To our clients, while we don’t get to see many of you personally, our regular telephone conversations and email communications make us feel we know each of you as friends.  We couldn’t ask for a better bunch of clients – loyal, considerate, helpful cooperative, inspirational and fun.   A simple “thank you” just doesn’t seem enough.

 For BPC RiskManager V6 users there has recently been a major update released with lots of new features and a couple of progressive updates since then, so for those with current maintenance subscriptions, make sure you contact us and get the update, and those of you without, make sure you get yourself current and we’ll get you the update.

Convergence  - a term previously applied to the merging of multiple technologies into one device like a phone that combine email and internet browsing – now has a social mirror in the merging of the multiple social dimensions of a person’s existence with their corporate life and their corporate roles.   This social convergence presents risks both to the individual and the business employing them.

As a risk management professional, one of my particular concerns is the significant and rapidly growing scope of risks created by social networking and smart mobile technology.  I admit to being in “two minds” about this space.  On the one hand there are definite and clear branding, sales, performance, communication, and social benefits associated with the social media technologies.  On the other hand there are serious and real, present and potential risks that are growing rapidly. I remain concerned that these risks are little understood by the vast majority of the user base, and that there is not a clear path to either mitigating or avoiding them.

The one guiding principle that all internet users should remember, is that “the internet is forever”.  If you are bold enough to venture into the very dark-side of the internet – spend an educational few hours browsing the encyclopedia-dramatica (EA) web site.  (WARNING:  Not Safe For Work.  This site contains extremely offensive, bigoted, obscene and abusive content.  You WILL be offended by some, if not all the content.  While it is intended to be a humorous web site, its humour is based on being deeply offensive to almost everyone – so do not visit unless you have a very thick skin, it is not even remotely possible to offend you, you have a secret fascination for the sordid, an extremely well developed sense of the right of free speech, a professional excuse to be there and/or believe that there is no image or viewpoint too strong to gross you out.  Also, be warned, that there are some things that once seen can never be “unseen” and the image or text may haunt you for the rest of your life. )   One of EA’s pet projects is to explore and ridicule internet “memes” as they rise to fame.  A meme is an internet fashion – the internet equivalent of the proverbial 15 minutes of fame.  It may be a person, an idea, an identity, etc.  EA delights in recounting in depth the foolishness of targeted memes, the process used in tracking their real world identities and exposing their details (names, addresses, associates, phone numbers, etc).  Erstwhile anonymous people who have either done some thing foolish on internet social media sites or people who hold views they consider extreme or hypocritical are targeted and occasionally harassed.  It is this aspect of EA’s function that is relevant to this article, and the step by step accounts of how some of these semi-anonymous people have had their real identities, with phone numbers and addresses, family and real-life jobs exposed and linked together with their internet foolishness are a very strong lesson in how dangerous the illusion of anonymity is on the internet.  The advent of modern social media has made this work simpler, faster and possibly even more devastating to the individual.  

In the world of simple social networks – bulletin boards, chat rooms, YouTube and Email Lists , however, considerable resources and skills were required to achieve this kind of exposure.  It is possibly the ability of the group of people championing or supporting the EA website and the bulletin boards/chat sites from which it draws many of its victims to utilise their apparently large world wide participation base that allows them to sew the data together from these many sources and form a coherent story that facilitates their success.   The sheer effort required to do this kind of work has traditionally made it unlikely that the ordinary internet user whose internet behaviour is more “ordinary” had much about which to be concerned.   With the advent of increasing “smart” social media sites, like FaceBook combined with technology advances like facial recognition, smart phones with mobile apps and GPS tracking technology,  marketing agencies and commercial data tracking firms and 20 years of data tracking this is changing.

Consider the recent article in The Wall Street Journal published 18 October 2010: FaceBook in Privacy Breach.  The essence of the matter reported was that various apps in FaceBook were providing data to external sites that breached user’s privacy settings.  The apps on your FB  page have access to a considerable amount of your private data regardless of your privacy settings and are therefore capable of transmitting this data to external systems.  Even without this dimension, FaceBook uses a unique identifier to identify its users (a characteristic that would be difficult to avoid).  That identifier probably has to be available to any app used by a user for many of the app’s socially beneficial networking capabilities.  Given many apps make use of external (to FaceBook) databases, that id probably has to be available outside of the FaceBook environment.  For the 500 million or so FB users, this is effectively a unique identity number.  Combine that id number with even a polynomial hash of the personal data held in a user’s FB account, and then match that hash with a hash code held for the same fields – say name and address or email address – in a marketing or data tracker’s database and you can link the offline database with the FaceBook user even if you are not transmitting identifiable private information.  

Data tracking and marketing firms can use things as simple as advertisements and images displayed on a web page you visit to identify you by your browser and IP address to track where you go on the internet – before we even get into more sophisticated tracking methods.  So now we have the potential for that information to be tied to your FB user identity.

Now let’s add the latest FB innovation – facial recognition.  The addition of facial recognition capability to FB and applied to the profile and other images loaded up into the FB database and tagged with personal and “friend” identities gives FB possibly the largest facial recognition database outside of any government – and possibly larger than 90% of governments around the world.   

Lastly, we add to this mix the wide spread use of smart mobile technology with their GPS and web browsing systems – including FaceBook, and the growing social media linking systems like Xobni that matches your email inbox to the various social media sites like LinkedIn, FaceBook, Twitter, etc.

Take all of these systems together and we have a growing ability for people’s lives to be comprehensively monitored – real life, social life and internet life:  who you are, what you look like, where you go – in real life and internet life, who you work for, what you do, what you say, who your friends are, what you like, what your political views are, what you buy and what you would rather not have others know.  Does this bother you yet?

Even if this unprecedented potential for tracking and data matching – social convergence – does not concern a given individual, from a corporate perspective if creates some unique risk management questions:  

• When a person’s real-world private life, internet private life and real-world corporate identities converge, and that convergence brings disrepute on an organisation, what should be the organisation’s response?
• How can an organisation measure and limit the risk from social convergence?
• Should an organisation be actively outcome-testing the social convergence of its key employees in order to anticipate the impact of ill-timed exposures?
• Should employees be discouraged from using any data that can be used to match their corporate identities in social media?
• Should an organisation actively educate their staff about the risks of social convergence to them and their employer?
• To what extent should organisations apply the same social-convergence morality tests to the organisations with which the trade?

As a strong proponent of the rights of the individual, freedom of speech and the duty of employers to “mind their own business” with respect to the individuals they employ I find the implications of these questions extremely troubling, but I fear they will not be able to be ignored forever.

We have been busy with updates to the riskwiki (and the BPC SurveyManager library and BPC SurveyManager Maintenance WebClient).  The riskwiki has had various improvements and updates to the survey manager documentation including a long list of examples and explanations of the input controls and the first of our tutorials on creating particular survey layouts.

The tutorials are at:

BPC SurveyManager Tutorials

 We will be adding more as time permits.

The illustrated list of input controls is at http://riskwiki.bishopphillips.com/index.php?title=BPC_SurveyManager_-_Questions_and_Input_Controls

Among the new features recently added to the BPC SurveyManager libraries is a new password protected portal mode, so you can  now selectively surface surveys in each organisation to a simple portal without writing a portal survey of your own.   We have added more capabilities to the auto publish functions so that you can have anonymous responders for any survey by setting a flag, and impose login requirements per survey without adding user login questions at the start.

The portal mode will be particularly useful to teachers running classed based surveys, because you can now use the portal on a class wide basis in a school based computer for all students to concurrently access a class based survey without you having to publish to them first or send invitations.

There is lots more coming to survey manager over the next few weeks so keep tuned.   Among the changes coming to the SM library is a significant expansion of Survey Manager’s ability to directly interrogate and update risk, insurance claims and incident tables for those using BPC SurveyManager as part of their BPC RiskManager application suite.

The BPC SurveyManager Maintenance WebClient is getting some new features to expand the range of surveys that can be built with it.  We have kept it artificially simplified now for a number of years as it was always intended to be an entry point solution, but the increasingly complex surveys some of the heavier survey manager clients wish to create mean that we really must make more of the survey engines huge range of capabilities available in the web client.   We have recently completed an analysis of the types of clients using our survey technologies heavilly, and those of you making the heaviest and best use of the tech are also those attempting the most complex of surveys.  

The current web client just does not do the underlying survey engine justice and we feel it is time to really let it stretch its legs.   We will try and keep the over-all feeling of simplicity the same, and in fact some things will seem to get simpler because the current release tries makes some things just too mindless by doing a whole lot for you in the background.

Even so, we are told, our web client is still way more powerful than most similar survey clients, but if you like the current one, just wait for the enhancements coming.

Oh, and don’t forget, that we host surveys on our servers, so you can contract us to manage your survey needs on your behalf.  The service includes your own database, the survey engine, emailing invitations, the portal, at least daily backups, 24 hour monitoring, responder assistance, maintenance of the data and content and even assistance with creation of surveys.  All clients are encouraged to try out this extremely economical service as an alternative to doing it yourself.  The distributed nature of BPC SurveyManager means you can exchange surveys and data with our servers to feed back into your risk systems, for example (or just point your survey manager or risk manager clients at our servers in addition to using the web client).

Introduction

So you are looking to lift your company, education institution or government agency’s web profile…

You do the usual things: rework the main web site, stat-up blog feeds, revamp forums, establish wiki or other information feeds, acquire/renew SSL certificates so the site can be authenticated as really being a bricks and mortar business .  So far so good.  All this stuff is under your control on your servers.  Your IT team can establish control and security over the software, you can monitor it and get a reasonable level of comfort that you can assure visitors that your site is safe to visit.

Then a consultant advises you that to reach the younger market, or even simply to project a progressive and innovative image you need to embrace the more inclusive social networking spaces like MySpace, FaceBook, YouTube and/or Twitter.   “Everyone” is using these sites so they must be safe. Right? 

No, wrong. 

Identifying the Social Networking Strategy

Let’s look a little more closely at MySpace and FaceBook, specifically.  There are three broad approaches to using these platforms in business:

1. Teams use the sites to establish private networks for intra-team communication;
2. Employees establish individual profiles and use the sites to establish direct customer to staff connections; and
3. The business uses the sites (primarily, MySpace in this case) to establish branding for a product or service and allowing the public to friend the product or service, etc.

Analysing The  General Risks

Each of these uses, in the right context, carries advantages to the business,  so one view of the risk profile would say that not using the facilities is an opportunity cost that may disadvantage the business with respect to the competition, or (in the case of government) achieving the best possible policy outcomes and staying in-tune with a target market or spinning the desired message.  So the case for adoption, might consider possible causes of outcome failures to include:

1. Costs of  setup and maintenance (staff time, materials preparation, policy formation, training, etc) exceeding tangible and intangible returns;
2. Inattention of staff to maintenance of the material – hence tarnishing the organisation’s image rather than enhancing it;
3. Inappropriate, inconsistent,  or confidential content being posted  hence complicating both the public positioning of the business or occasioning legal exposures;
4. Inconsistent branding or product/business positioning, where branding and positioning consistency are part of the business image, thus creating confusion in the market;
5. Disproportionate effort/investment (time, cost, attention, etc) being injected into maintenance of social marketing at the expense of other marketing or activity streams when measured in terms of comparative effectiveness and efficiency in achieving the business objectives, thus resulting in an overall drop in business performance and a net reduction in outcome achievement;
6. Exposure of information that materially benefits competitors more than than advantages the business, thus resulting in a general weakening of the market positioning through more effective and targeted competitor behaviour;
7. Market awareness among the target market of potential or actual service consumers of the social services being low while awareness among the non target groups is relatively high, thus resulting in a net reduction in spend efficiency, or no perceived improvement of service among the consumer group.
8. Increased allocation of staff resources from finite available resources to maintenance of profiling information and friend interaction at the expense of productive outcomes (the traditional email productivity problem) – thus resulting in a demand for increased resources now for the same transaction outputs as before.

 We will  identify these collective issues as the overall risk “That  adoption of social networking within an Enterprise will fail  to achieve intended  business objectives” (such as improved brand awareness, improved profit, public acceptance of policy objectives, improved targeting of consumers through better feedback, etc).  The risk’s identified causes and consequencescan be managed by appropriate remediation strategies and informed through the right measurement systems.  They are essentially under your control – if in some cases, only just!

Between the three broad purposes of FaceBook/MySpace adoption there are some additional point-risks (a cause – consequence subgrouping of an overall master risk) that are specific to your purpose for the site(s).  For example:

1. Objectives 1 & 2 increase the information available to both internal and external recruiters, better enabling them to target your staff;
2. Objectives 2 & 3 increase the group awareness of public perceptions of the business and the individuals because comments and feedback posted to the individual profiles by customers (or people pretending to be customers)  can be visible to all other customers;
3. Objectives 2 & 3 can be hampered by perceptions of low friend counts implying general public disinterest in the service, or the firm, etc.

Identifying The Show Stopper Risk

Again these potential outcomes can, to some extent, be managed, but there is another risk that is potentially far more serious.  It  is either not under your control or only controlled with an extensive amount of effort on your part.  It is squarely in the IT domain, surprisingly traditional  and arises directly as a consequence of the social networking medium:

• Client or staff computer infection by Trojan software.

Now before, you go “oh right, that one again”…I fall squarely in the camp of IT professionals who consider that virus and Trojan defences are not a big issue, and relatively easy to manage for both the individual and the enterprise.  An enterprise just needs a sensible and proactive defence policy and some basic good house-keeping rules, and common sense.  So this is a most unusual thing for me to decide to highlight.

The difference is the nature of the interaction among users and otherwise experienced and knowledgeable staff that a social web site creates.   If someone you trust gives you something to look at,  in an environment in which you feel secure, you will probably look at it…and that is the essence of the problem.   I suspect that users are likely to be less cautious in the social networking context than they are even with email systems – which we know are 98% spam (statistic based on our own email filter logs!).

 For some years my IT Audit team ran “Tiger Team” penetrations of secure networks.   All IT intrusion specialists understand, that apart from systems that are simply below standard in their defences, effective intrusion generally requires some degree of social engineering – a bit of research on key people to get an idea of the passwords possibilities and targets, knowledge of where to go to get access (eg. where branches are located, where systems are located in virtual or physical space, etc), physical access (or virtual access) to a weakly protected node, knowledge about work habits, an understanding of human nature, the ability to claim an association with someone else who is trusted,  some degree of trust (eg an employee) so you can get others to cooperate with you, knowledge of the technologies in use, the ability to hide in a stream of otherwise normal activity without attracting attention, the ability to attract the attention/assistance  of individuals or applications that can facilitate an attack without them realising they are assisting, etc.  

MySpace and FaceBook in the first instance, deliver on all these fronts:

1. Their nature is to expose personal information about the individuals profiled on the pages – that is, after all, what they are about.
2. They provide a common meeting place that is universally known – the MySpace and FaceBook sites themselves.  The whole point of using these sites is that the job of getting your market to find you is done, so setting up your own version of MySpace or FaceBook on your web site does not achieve the same outcome.
3. They facilitate the knowledge of the technologies in use  -  Anybody can create FaceBook and MySpace apps, or learn how to create a profile page, or interact with others, etc – it is the entire purpose of and essential to the medium.
4. The sites create a false sense of safety.  They protect themselves from attack, but not the necessarily the users, yet the illusion of a controlled space promotes an expectation that the services available have been vetted, when in fact the nature of the web means that services are no more secure than any other web service.
5. They foster trust of individuals through artificial group association when in reality “friends” are simply random potentially unknown individuals who are self selected.  While you do not have to accept them, part of the point about using such a medium to promote yourself or your business/product is that you will probably be inclusive rather than exclusive – so clients visiting you should not assume that your other friends are in any way a vetted and approved group (as opposed to a user group forum, who will generally all be actual clients).   “Strangers” would be a better, more appropriate term.
6. They facilitate the exchange of large volumes of trivia.

Now, all this is not necessarily a problem without the last ingredient.  They attract your clients like bees to honey, and because of all the other factors, in the process your clients “open the door” – they click on links of your friends, they view pages with add feeds fed by a third party and they post things (potentially with links) to you bulletin boards that you do not control, but that others access in trust.   And it all happens in real time.

Does this matter?  Yes. 

Where Theory Meets Reality

Here are some examples:

• In July 2006,  1 million users of MySpace were infected with ad-ware simply by visiting profile pages.
• In 2007, 12 million page views potentially infected up to that number of MySpace visitors with with a Trojan.
• This month and last (2009), an unknown number of MySpace and FaceBook users have been infected by the KoobFace Trojan as a result of viewing items added to the postings of friends of others’ MySpace and FaceBook sites.    The first thing this Trojan does is contact all your existing “friends” via your site and post messages to them from you with the Trojan embedded in the message (after changing your mood so they are encouraged to take a look!).    The second thing this Trojan does is monitor your key strokes so as to collect identity, account and credit card information.

This is just the start of the list.   When we tested this, the KoobFace Trojan slipped straight past two of our anti-virus/anti-spy-ware systems unnoticed!   Our tertiary network analysis defences spotted the change – but these are security specialists tools and not the stuff on normal machines – and we knew for what we were looking.  Imagine how infecting the networks and computers of your corporate and public clients would help your market brand.  Bad if the client’s protection systems detected the infection attempt – but even worse, if they didn’t!   Not only will the Trojan keylogger infection compromise their security, but as they enter the user id’s and passwords to access your client support systems, they will compromise your security.

The first problem here is that you and your IT team do not control the platform – and that is the issue that has to be addressed with all cloud computing solutions.  The second problem is that the essence of these technologies is unstructured social interaction (which is good), seemingly in a playground with nice metal fences (which is also good), but really in the middle of a highway, where the cars and trucks are invisible – but just as dangerous  (which is not so good). 

Wan’na play outside?  Yep – why not play in the street?

The release off V6.2.5 was delayed a couple of months because under the covers we were putting in a huge range of changes to the database to enable addition or improvement of a very large range of features. Some of these capabilities existed in earlier versions of RiskManager, but were dropped with the release of the completely re-written and redesigned V6 solution. Others were phased out even earlier (like probability based risk models – in Version 2, Bayesian decision trees – in Version 1 – 1996! ) .

Version 6 was design around the A/NZ Risk Management standard and a poll of what clients were actually using, and with the objective of vastly expanding the depth and versatility of the facilities in use, rather than breadth of features. So with V6 what is there is really useful and complete, rather than almost useful. Not all of the feature retirement decisions were correct, and for a large number the intention was not feature termination, but feature resting.

Curiously, because BPC RiskManager Express is actually based on the RiskMan V5 code base, a number of these features – like Compliance, Risk Milestones, and MS Word Reporting are in BPC RiskManager Express, which is the ‘Entry Level’ system, yet were missing from the V6.0 release. BPC RiskManager Express got it’s screen makeover with last years release (actually it was started in the release of the year before and completed last year).  Version 6, got its Vista screen make-over in 2008 with release of V6.2.0  (Enrima Edition).

In the years since V6.0 was released the world of Governance has advanced significantly, and many of the capabilities we phased out over the years are now becoming fashionable again. So…with the release of V6.2.5 we decided to put back into the database most of the features that had been retired in earlier years, feed them some steroids and add a raft of new capabilities (like corporate planning support), together with a Vista/Office 2007 style rework of the screen look and feel.  Buried in your V6.2.5 databases are 297 changes (some times fields, sometimes entire tables) just waiting to be surfaced to the client.

Over the next six months we will be progressively surfacing these capabilities to the V6 client. Things that are getting added or reworked include:

• Corporate Planning
• Compliance
• Multi-base consolidation
• Workflow
• Scripting
• Compliance Document Management
• Assertion based control assessment
• Control modelling
• Internal Audit Planning and Assessments
• Assets (including buildings)
• Scheduling
• Probability calculations
• What-If analysis
• Import and Export
• And much more…

Now I know, some of you will look at that list and say about individual items: “I’ve got that now! How is that being added?” . Well, note that I said “added or improved”.  Existing versions of these features are getting a good dose of steroids; transforming the system from a register and risk/compliance maintenance tool to a planning and analysis tool and full corporate governance management system.

We gave the process of governance a significant rethink over the last few years and realised that to make it work from the risk management dimension as an aid to an organisation, rather than a standards compliance exercise, ERM has to start with the corporate planning side of the business and flow down to the business processes and ultimately to compliance management, with Internal Audit floating across all dimensions validating the reliability of the strategic and tactical control frameworks.

Senior executives, therefore, should use the Governance system to create and report against their corporate and business plans, and in so doing design (or enable the designing of) the risk framework against the strategic and tactical plans. The system therefore has to see risks, not just as a static demographic and environment responses, but as a temporal and cognitive response to both the current and planned positioning of the organisation.

…And this is where we are going.

Introduction

I have been intending to start a blog to better inform our clients and friends about where we are going with the BPC RiskManager Governance software suite for some time. Coupled with that desire has been an intention to establish a forum for discussing a variety of topics in both Governance and Enterprise Risk Management. Time, as always, has been a harsh master, and this project has been pushed back repeatedly while we worked diligently to get V6.2.5 out.

Finally, thanks to WordPress, we have our blogging system up and running.

This RiskThink web site will add a more immediate information feed to to our existing Risk and Governance focused information feeds such as our popular RiskWiki site ( http://riskwiki.bishopphillips.com/ ). The main BPC web site ( http://www.bishopphillips.com/ ) provides a central point of access to our Australian and Canadian web sites, and information about our software products including BPC RiskManager. You can access an enquiry link to get a free, fully functional trial download of the BPC RiskManager suite from that page.

About Bishop Phillips Consulting

Bishop Phillips Consulting is a Governance and Enterprise Risk Management software developer and management consulting firm, in business since 1995. We have offices in both Australia and Canada. Software development occurs in Australia, using our in-house programming team, most of whom have been with us since the beginning. Our flagship systems include BPC RiskManager (Enrima Edition), BPC RiskManager (Express Edition) and BPC SurveyManager. We supply consulting services in Risk Management, Corporate Strategy, Government & Public Policy, Compliance, Business Process Design, Internal Audit, Forensic Accounting and Fraud Investigation – in short everything to do with in house Corporate Governance and Government Administration.

About BPC RiskManager

BPC RiskManager is a software suite that covers:

• Enterprise Risk Management
• Strategic Planning
• Compliance
• Surveys
• Control Self Assessment
• Wokflow
• Internal Audit
• Assets
• Incidents and Hazards

It runs on MS Windows systems.