There are more than 270 tables and views in BPC RiskManager v6.x.  Not all of these tales and views are visible by default in the BPC RiskManager report builder.  Further you can expand the system by adding your own tables and views to the database. 

There are three main reporting systems in RM – the inbuilt reports (these can not be expanded), the end-user reports (BPC RM ReportBuilder), and mail-merge/office template  style reporting.  Of these, the primary reporting tool for end user reporting is the BPC RiskManager ReportBuilder reporting engine.   

So how do you make these tables and views available to the BPC Risk Manager  end user report development tool (report builder) so that you can report on them in your own reports?  Fortunately BPC RiskManager allows you to add these things directly in the BPC RiskManager client to the reporting engine so you can include them in your reports.

By way of an example, we will add the  actions progress table to the end user reporting layer and hook it in to the magic-query maker, so that when you use the table in your reports it automatically hooks it to the appropriate master table or view (in this case “search_risk_actions”).  We are adding a raw table, rather than a view, so we will add the word “raw” to the name so that we distinguish it from the views.  The difference between the tables and the views is that the views populate the table’s look-up fields with the description field of the look up table.

In the RM client, on the Administration tab:

1. Go to Administration/Report Builder/Table Names
2. Select “New”
3. Enter in the fields:

• Table_name: RISK_ACTION_PROGRESS
• Table alias: Action Progress Raw

(Note the spaces in the above)

1. Select save.
2. Got to Administration/Report Builder/Field Names
3. Select “Add Fields”
4. In the pop-up box enter: RISK_ACTION_PROGRESS
5. Select “Ok” – this will add the field names.
6. Got to Administration/Report Builder/Table Joins
7. Select “New”
8. Enter in the fields:

• Table_name1: SEARCH_RISK_ACTIONS
• Table_name2: RISK_ACTION_PROGRESS
• Join_Type: dajtLeftOuter
• Field_names1: Action ID
• Operators: =
• Field_name2: ACTION_ID

NOTE the space in the Field_names1 “Action ID”

1. Select “Save”
2. Close the administration window.

The risk_action_progress table and its fields will now be available to Report Builder.

Introduction

So you are looking to lift your company, education institution or government agency’s web profile…

You do the usual things: rework the main web site, stat-up blog feeds, revamp forums, establish wiki or other information feeds, acquire/renew SSL certificates so the site can be authenticated as really being a bricks and mortar business .  So far so good.  All this stuff is under your control on your servers.  Your IT team can establish control and security over the software, you can monitor it and get a reasonable level of comfort that you can assure visitors that your site is safe to visit.

Then a consultant advises you that to reach the younger market, or even simply to project a progressive and innovative image you need to embrace the more inclusive social networking spaces like MySpace, FaceBook, YouTube and/or Twitter.   “Everyone” is using these sites so they must be safe. Right? 

No, wrong. 

Identifying the Social Networking Strategy

Let’s look a little more closely at MySpace and FaceBook, specifically.  There are three broad approaches to using these platforms in business:

1. Teams use the sites to establish private networks for intra-team communication;
2. Employees establish individual profiles and use the sites to establish direct customer to staff connections; and
3. The business uses the sites (primarily, MySpace in this case) to establish branding for a product or service and allowing the public to friend the product or service, etc.

Analysing The  General Risks

Each of these uses, in the right context, carries advantages to the business,  so one view of the risk profile would say that not using the facilities is an opportunity cost that may disadvantage the business with respect to the competition, or (in the case of government) achieving the best possible policy outcomes and staying in-tune with a target market or spinning the desired message.  So the case for adoption, might consider possible causes of outcome failures to include:

1. Costs of  setup and maintenance (staff time, materials preparation, policy formation, training, etc) exceeding tangible and intangible returns;
2. Inattention of staff to maintenance of the material – hence tarnishing the organisation’s image rather than enhancing it;
3. Inappropriate, inconsistent,  or confidential content being posted  hence complicating both the public positioning of the business or occasioning legal exposures;
4. Inconsistent branding or product/business positioning, where branding and positioning consistency are part of the business image, thus creating confusion in the market;
5. Disproportionate effort/investment (time, cost, attention, etc) being injected into maintenance of social marketing at the expense of other marketing or activity streams when measured in terms of comparative effectiveness and efficiency in achieving the business objectives, thus resulting in an overall drop in business performance and a net reduction in outcome achievement;
6. Exposure of information that materially benefits competitors more than than advantages the business, thus resulting in a general weakening of the market positioning through more effective and targeted competitor behaviour;
7. Market awareness among the target market of potential or actual service consumers of the social services being low while awareness among the non target groups is relatively high, thus resulting in a net reduction in spend efficiency, or no perceived improvement of service among the consumer group.
8. Increased allocation of staff resources from finite available resources to maintenance of profiling information and friend interaction at the expense of productive outcomes (the traditional email productivity problem) – thus resulting in a demand for increased resources now for the same transaction outputs as before.

 We will  identify these collective issues as the overall risk “That  adoption of social networking within an Enterprise will fail  to achieve intended  business objectives” (such as improved brand awareness, improved profit, public acceptance of policy objectives, improved targeting of consumers through better feedback, etc).  The risk’s identified causes and consequencescan be managed by appropriate remediation strategies and informed through the right measurement systems.  They are essentially under your control – if in some cases, only just!

Between the three broad purposes of FaceBook/MySpace adoption there are some additional point-risks (a cause – consequence subgrouping of an overall master risk) that are specific to your purpose for the site(s).  For example:

1. Objectives 1 & 2 increase the information available to both internal and external recruiters, better enabling them to target your staff;
2. Objectives 2 & 3 increase the group awareness of public perceptions of the business and the individuals because comments and feedback posted to the individual profiles by customers (or people pretending to be customers)  can be visible to all other customers;
3. Objectives 2 & 3 can be hampered by perceptions of low friend counts implying general public disinterest in the service, or the firm, etc.

Identifying The Show Stopper Risk

Again these potential outcomes can, to some extent, be managed, but there is another risk that is potentially far more serious.  It  is either not under your control or only controlled with an extensive amount of effort on your part.  It is squarely in the IT domain, surprisingly traditional  and arises directly as a consequence of the social networking medium:

• Client or staff computer infection by Trojan software.

Now before, you go “oh right, that one again”…I fall squarely in the camp of IT professionals who consider that virus and Trojan defences are not a big issue, and relatively easy to manage for both the individual and the enterprise.  An enterprise just needs a sensible and proactive defence policy and some basic good house-keeping rules, and common sense.  So this is a most unusual thing for me to decide to highlight.

The difference is the nature of the interaction among users and otherwise experienced and knowledgeable staff that a social web site creates.   If someone you trust gives you something to look at,  in an environment in which you feel secure, you will probably look at it…and that is the essence of the problem.   I suspect that users are likely to be less cautious in the social networking context than they are even with email systems – which we know are 98% spam (statistic based on our own email filter logs!).

 For some years my IT Audit team ran “Tiger Team” penetrations of secure networks.   All IT intrusion specialists understand, that apart from systems that are simply below standard in their defences, effective intrusion generally requires some degree of social engineering – a bit of research on key people to get an idea of the passwords possibilities and targets, knowledge of where to go to get access (eg. where branches are located, where systems are located in virtual or physical space, etc), physical access (or virtual access) to a weakly protected node, knowledge about work habits, an understanding of human nature, the ability to claim an association with someone else who is trusted,  some degree of trust (eg an employee) so you can get others to cooperate with you, knowledge of the technologies in use, the ability to hide in a stream of otherwise normal activity without attracting attention, the ability to attract the attention/assistance  of individuals or applications that can facilitate an attack without them realising they are assisting, etc.  

MySpace and FaceBook in the first instance, deliver on all these fronts:

1. Their nature is to expose personal information about the individuals profiled on the pages – that is, after all, what they are about.
2. They provide a common meeting place that is universally known – the MySpace and FaceBook sites themselves.  The whole point of using these sites is that the job of getting your market to find you is done, so setting up your own version of MySpace or FaceBook on your web site does not achieve the same outcome.
3. They facilitate the knowledge of the technologies in use  -  Anybody can create FaceBook and MySpace apps, or learn how to create a profile page, or interact with others, etc – it is the entire purpose of and essential to the medium.
4. The sites create a false sense of safety.  They protect themselves from attack, but not the necessarily the users, yet the illusion of a controlled space promotes an expectation that the services available have been vetted, when in fact the nature of the web means that services are no more secure than any other web service.
5. They foster trust of individuals through artificial group association when in reality “friends” are simply random potentially unknown individuals who are self selected.  While you do not have to accept them, part of the point about using such a medium to promote yourself or your business/product is that you will probably be inclusive rather than exclusive – so clients visiting you should not assume that your other friends are in any way a vetted and approved group (as opposed to a user group forum, who will generally all be actual clients).   “Strangers” would be a better, more appropriate term.
6. They facilitate the exchange of large volumes of trivia.

Now, all this is not necessarily a problem without the last ingredient.  They attract your clients like bees to honey, and because of all the other factors, in the process your clients “open the door” – they click on links of your friends, they view pages with add feeds fed by a third party and they post things (potentially with links) to you bulletin boards that you do not control, but that others access in trust.   And it all happens in real time.

Does this matter?  Yes. 

Where Theory Meets Reality

Here are some examples:

• In July 2006,  1 million users of MySpace were infected with ad-ware simply by visiting profile pages.
• In 2007, 12 million page views potentially infected up to that number of MySpace visitors with with a Trojan.
• This month and last (2009), an unknown number of MySpace and FaceBook users have been infected by the KoobFace Trojan as a result of viewing items added to the postings of friends of others’ MySpace and FaceBook sites.    The first thing this Trojan does is contact all your existing “friends” via your site and post messages to them from you with the Trojan embedded in the message (after changing your mood so they are encouraged to take a look!).    The second thing this Trojan does is monitor your key strokes so as to collect identity, account and credit card information.

This is just the start of the list.   When we tested this, the KoobFace Trojan slipped straight past two of our anti-virus/anti-spy-ware systems unnoticed!   Our tertiary network analysis defences spotted the change – but these are security specialists tools and not the stuff on normal machines – and we knew for what we were looking.  Imagine how infecting the networks and computers of your corporate and public clients would help your market brand.  Bad if the client’s protection systems detected the infection attempt – but even worse, if they didn’t!   Not only will the Trojan keylogger infection compromise their security, but as they enter the user id’s and passwords to access your client support systems, they will compromise your security.

The first problem here is that you and your IT team do not control the platform – and that is the issue that has to be addressed with all cloud computing solutions.  The second problem is that the essence of these technologies is unstructured social interaction (which is good), seemingly in a playground with nice metal fences (which is also good), but really in the middle of a highway, where the cars and trucks are invisible – but just as dangerous  (which is not so good). 

Wan’na play outside?  Yep – why not play in the street?

The release off V6.2.5 was delayed a couple of months because under the covers we were putting in a huge range of changes to the database to enable addition or improvement of a very large range of features. Some of these capabilities existed in earlier versions of RiskManager, but were dropped with the release of the completely re-written and redesigned V6 solution. Others were phased out even earlier (like probability based risk models – in Version 2, Bayesian decision trees – in Version 1 – 1996! ) .

Version 6 was design around the A/NZ Risk Management standard and a poll of what clients were actually using, and with the objective of vastly expanding the depth and versatility of the facilities in use, rather than breadth of features. So with V6 what is there is really useful and complete, rather than almost useful. Not all of the feature retirement decisions were correct, and for a large number the intention was not feature termination, but feature resting.

Curiously, because BPC RiskManager Express is actually based on the RiskMan V5 code base, a number of these features – like Compliance, Risk Milestones, and MS Word Reporting are in BPC RiskManager Express, which is the ‘Entry Level’ system, yet were missing from the V6.0 release. BPC RiskManager Express got it’s screen makeover with last years release (actually it was started in the release of the year before and completed last year).  Version 6, got its Vista screen make-over in 2008 with release of V6.2.0  (Enrima Edition).

In the years since V6.0 was released the world of Governance has advanced significantly, and many of the capabilities we phased out over the years are now becoming fashionable again. So…with the release of V6.2.5 we decided to put back into the database most of the features that had been retired in earlier years, feed them some steroids and add a raft of new capabilities (like corporate planning support), together with a Vista/Office 2007 style rework of the screen look and feel.  Buried in your V6.2.5 databases are 297 changes (some times fields, sometimes entire tables) just waiting to be surfaced to the client.

Over the next six months we will be progressively surfacing these capabilities to the V6 client. Things that are getting added or reworked include:

• Corporate Planning
• Compliance
• Multi-base consolidation
• Workflow
• Scripting
• Compliance Document Management
• Assertion based control assessment
• Control modelling
• Internal Audit Planning and Assessments
• Assets (including buildings)
• Scheduling
• Probability calculations
• What-If analysis
• Import and Export
• And much more…

Now I know, some of you will look at that list and say about individual items: “I’ve got that now! How is that being added?” . Well, note that I said “added or improved”.  Existing versions of these features are getting a good dose of steroids; transforming the system from a register and risk/compliance maintenance tool to a planning and analysis tool and full corporate governance management system.

We gave the process of governance a significant rethink over the last few years and realised that to make it work from the risk management dimension as an aid to an organisation, rather than a standards compliance exercise, ERM has to start with the corporate planning side of the business and flow down to the business processes and ultimately to compliance management, with Internal Audit floating across all dimensions validating the reliability of the strategic and tactical control frameworks.

Senior executives, therefore, should use the Governance system to create and report against their corporate and business plans, and in so doing design (or enable the designing of) the risk framework against the strategic and tactical plans. The system therefore has to see risks, not just as a static demographic and environment responses, but as a temporal and cognitive response to both the current and planned positioning of the organisation.

…And this is where we are going.