riskconsulting.in

your business. our risk management.

Love - what's risk got to do with it?

Well, according to this article, risk is basic and fundamental when it comes to love or making a match. To quote, "Somewhere in there, you have to take a risk, instead of sitting behind the safety of a computer screen." The author conveys a very useful reminder that sometimes, risk just has to be taken. Risk assessment or its management should not distract from a primary objective, which often times means we have to make a decision. As much as information is helpful, it will never be enough to auto-select a decision in complex business situations.

The other takeaway I would like to share is the scary thought that our decision-making skills are becoming paralyzed with the advent of the information revolution (instead of the other way around). I guess it is understandable if one spends a lot of time online, browsing websites, going through Twitter updates, following stock market symbols, catching up on friend/social updates, and the list goes on and on. We are unconditionally becoming better information browsers or at best, information processors. However, "the safety of a computer screen" is possibly making our decision-making and "diving into the pool" capabilities dormant. Did I just hear risk of information overload?

The evolving role of social media

Friends. Eavesdropping. Brand-building. Reputation and problem management. Customer insight. Excessive profiling. Instant connections. Flash mobs. Celebrity speak. Too many voices.

In case you did not see it, I have drummed up a few applications of social media -- and it appears to me that for each positive use there exists at least one corresponding not-so-positive impact. Social media continues to evolve and every now and then takes us with surprise. Reports of youngsters organizing flash mobs through BBM (Blackberry messenger) and an anti-corruption campaign supported by a tweet storm are some very recent examples. Did the creators of the supporting social media ever imagine such (unintended) consequences?

This is the marvel of technology. Regardless of the hours spent on use-case analysis, process modeling, or simulation/testing, the eventual human-computer interaction is challenging to discern or predict. And I conjecture that the risk impact is directly correlated with that challenge. If we think of technology as generally implementing some model, then we can better appreciate how hard the risk problem is. Intrinsic to a model is some underlying assumption as well as some boundary conditions. Even if the assumption holds true for a very long period of time (and is validated as such), bounding the model is difficult. Cases in point in the physical world: financial crises, geopolitical uprisings, critical infrastructure breakdowns.

In the context of social media, one basic assumption is the human need and willingness to communicate. The boundary conditions are the span of applications, which is what we see evolving and being challenged everyday. The uncertainty of these applications is what introduces risk and thus makes social media a real problem. Solution? My take is to acknowledge the role of social media, follow it closely, and resist the temptation of knee-jerk reactions. Or, as Mayor Michael Nutter of Philadelphia has done, leverage reasonable policy-making in the physical domain to mitigate real-world risk (note, he did not touch policy in the technology domain, as intuitive it may have been to do so).

Long-term, I believe social media is here to stay and will be represented in a given channel mix. Would I throw the kitchen sink at it? Probably not beyond the point of relevant opportunity, which has to be an individual assessment. Oh, and I would also watch for policy changes i.e. law of the land and business principles. I forecast social media is significant enough to warrant some level of governance -- hopefully that doesn't take us back to unsocial, err, just plain media.

Rewind CWG 2010: my analysis proves true!

 It turns out that my discussion of information risk and the 2010 Commonwealth Games (CWG) was spot on. Please read my previous post on the topic and match the coincident similarity of possible risk impacts with this article in the Times of India (10 months later!). I wish to highlight that information risk is very much pervasive and real -- even in the subject areas or domains with a lesser or not-so obvious correlation to information technology. No wonder, the CWG site was down at the time of publishing my previous post on 02/10/10!

*Disclaimer: These blog posts are analyses and commentary of an ordinary citizen and observer. They represent solely the author's thoughts alone. The author has not been involved with any inner workings or organizational details of the 2010 CWG.

Risk management does not equal alarmist

This quick writeup is motivated by a brilliant post on The Economist's Free Exchange blog. I wish to highlight a couple of points about risk and risk management. It seems that whenever a risk practitioner issues an assessment (especially an adverse one) that alarm bells start to ring and new predictions of armageddon surface. 

Case in point: the recent debt-ceiling crisis and reports about possible downgrade of America's sovereign rating. The beauty of the referenced post is that it articulates the pragmatic impact of a downward change in a commonly-tracked risk rating. Rather than jumping to "the world is coming to an end" conclusions, the writer calmly steps through what may happen next and neatly rationalizes the need for risk management. To quote the punchline (credit in part due to Financial Times):

"More vigilance makes the world a safer place ... risky assets do not cause crises. It is those perceived as being safe that do."

Risk management by its virtue is designed to be a "good" thing -- it is not intended to be negative, alarmist, or crisis-mongering. Encapsulated within this is also the message that risk is omnipresent and always around us. Whether in our role as investors or mere human beings, we have to learn to deal with risk and manage it to suit our tolerance. The other highlight is that risk is relative. Again, nothing new here, but a gentle reminder that risk assessment and treatment must be performed keeping the stakeholders in mind. And by extension, there are many options to deal with risk i.e. it may be accepted, mitigated, transferred, or simply ignored.

Choosing an encryption solution is tough

I stall whenever I come across articles about encryption solutions or offerings in the general press. The intent is good -- take up a difficult topic for the masses and address it with a "simple" solution. Therein lies the problem. Encryption and most security problems (or solutions) are not simple. Making security simple is a challenge and often confounds the very creators of such solutions. While I won't get into the reasons for that here, I will briefly conjecture that it is a result of the starting complexity of what is looking to be secured or a result of the pre-conceived notion that a security solution cannot be too simple to be true.

Back to encryption solutions or offerings. Why do I stall? My mind gets into a wild race and starts pondering the following types of questions: How would encryption product X assure confidentiality of my data, or transmission, or communication? Will this new software just give me a graphical illusion that bits and bytes are being encrypted? Or, how can I be sure that the encryption operates on my machine and only my machine i.e. it does not open up some fishy network port and start communicating with a rogue server on the Internet? Bottom-line, why should I trust encryption product X?

I believe these are thought-provoking questions and if you, the reader, usually don't consider these questions when it comes to online security then please step back and start to think. This is about being diligent when it comes to purchasing or signing up for technology. Especially technology that is intended to keep you safe and secure in a connected world. Just like you would consider the safety of a car, the durability of home construction, or longevity of packaged food, do the same when it comes to technology (including encryption and security solutions). So the reasonable next question is "How do I go about doing this?"

No, you do not have to disassemble software and understand what goes on under the hood. And you do not have to come up with any elaborate testing scheme. Rather, try to follow these simple and easily-achieved practices before you decide to swipe your credit card and purchase:
  • What is my objective and can it be achieved without installing new software? Maybe the operating system I use (e.g. Mac OS X, Windows, or Linux) already has something in-built to secure what I am trying to protect.
  • Sometimes the answer may lie in re-evaluating your use of technology. For example, if it is only a one-time need, does it absolutely have to be done using the computer or the Internet? Can it be done offline, using physical world techniques?
  • If technology solution it is, can you do some basic web research to get a feel for how many other people are using the product? Who is behind it e.g. a reputed company or a fly-by-night operator or one really smart individual? Who are you willing and able to trust?
  • Perform a mental walkthrough of how the solution would work. Will you have to establish yet another password? Are your details being stored elsewhere i.e. other than your computer? Is there excessive bias i.e. can the solution work without trusting any one component too much?
  • Ask an expert. Use those social networks and reach out to somebody proficient in this domain of knowledge. Ask her/him for their perspective -- they might even be able to take a test drive and tinker with it to give you a useful review.
  • Is open source an option? This is a tad bit philosophical and a personal choice. In my humble opinion, open source efforts generally come with greater less-perverse motivation. A distributed community effort can produce good software without over-incentivizing any one stakeholder.

Making sense of films and risk

Yesterday, I came across a thought-provoking blog post on The Economist. What grabbed my attention was a tweet about managing risk in the film business. I have been thinking a lot about the point of this post. To me, the thesis statement is that Hollywood movie studios manage their risk by going for the franchise model (read: sequel or series collection of movies centered on a book or a toy that people are already familiar with). I believe it is worthwhile to dig a little deeper and demystify risk in this context.

First, let's identify the stakeholders. At a minimum, we have the movie studios, film-related people (e.g. actors, directors, crew), book publishers or toy producers, movie theaters, and audiences. Second, let's establish that risk is always a composite of the chance of something (usually negative) happening and the magnitude of the impact of that happening. The post and the associated data tries to illustrate that once familiarity has been established in the marketplace via another product, it can lead to a steady audience in the movie theaters and thus generate seemingly stable cash flows for the studios. However, there are a number of details missing from the analysis.

Essentially, movie studios are not dabbling in any risk i.e. they are playing a very safe bet by going with a film only after some proven market success of its root theme, whether through a book or a product. There is simple cause and effect here; no fancy risk management per se. Because the book has captured an audience, or the toy has gripped children worldwide, the effect is safety for the film studio to invest in the project to make a related film. Supposing this were not the case, then at best I look at the movie studios as transferring their risk to the book publishers or toy producers - somewhat akin to "drink the suspect liquid; if you survive, I will take a sip of it too".

The other piece that is missing here is probability information. This post seems to talk about only the successful franchises - what about others that intended to start as franchises but because the very first release was a failure, the franchise could never come to being? To me, this is the classic mistake of discussing risk only in terms of absolute outcome values, omitting the likelihood data. Finally, the "safe gambles" taken by the movie studios do not result in much of an altered (read: more positive) risk profile for the theaters or the audiences. A conditioned patron may end up with a worse experience after watching the film (relative to the joy of reading the book or playing the toy), which implies greater risk to the audience and others in the ecosystem. Real risk management, like insurance, would perhaps compensate for the sense of loss, if it were measured and validated.

FB "awesome" feature and Twitter townhall? Apple?

My news feeds this morning were abuzz with snippets of Obama's Twitter townhall and Facebook's so-called "awesome" feature announcement. Okay, I have to admit that a virtual townhall with tweets is revolutionary. Why? Because it sets a new precedent for inclusivity and transparency. It also eases the consumption of information with bite-sized nuggets crossing cyberspace and being shared socially. I still need to look at Facebook's announcement in-depth but I don't see the big deal yet. Anyway, the purpose of this latest post is to share my thoughts on Apple through an article I wrote a few years back. My premise is that Apple is nothing short of design genius, its products evolving beautifully to increasingly hook up with our human senses. Check it out:

Click here to download:
ItsNotJusttheiPhone-061807.pdf (57 KB)
(download)

 

Marketing carries risks too...

This post is a simple analysis of risks related to marketing. One may ask what does marketing have to do with information risk, digital security, or pivacy? I am going to make the argument that by virtue of information being a unit of our society and the prevalence of digital media propagating that unit, marketing efforts can introduce risk -- risk that originates in the digital domain and gets converted into brand or reputation risk.

Let's take a look at some cases in point. There are reports and rumors about Apple working on the the next iPhone as well as a a "lite" version for developing countries. This is indeed welcome news for most stakeholders in today's webbed environment i.e. Apple fans, wannabe Apple fans, tech aficionados, and rest-of-us consumers. At the same time, let's recognize the fact that none of these news items are coming directly from Apple's official communication channels. Or, are they? One could make the argument that because Apple keeps so "mum" about what it's working on, that very behavior triggers a lot more whispers and frenzy marketing. The risk is that sometimes there is so much hype created or over-expectation creeps in and what finally gets announced becomes a disappointment for the consumer. I conjecture that the more evolved a brand gets, and the more suspense it creates around its next offering, the greater the likelihood for disappointment. This means that the next offering has to be that much better. The upside (like in the case of the iPad) is that if it is so well-received in the backdrop of all the suspense, then kudos to the brand for releasing a truly superior offering. High risk high reward?

Pottermore. As many of us would have read recently, renowned Harry Potter author, J.K. Rowling, made an announcement about giving back to her fans in the form of an "exciting online experience". When the site first went live, it created a lot of buzz with many a Twitter or Facebook update squealing with delight about what may be coming next. People found it difficult to contain their excitement and could not help but speculate about what was in store. The good news is that the official announcement was timed pretty well in the sense that there was not a big lag between the teaser and the trailer. However, it comes with its fair share of risks too. For starters, there was so much build-up that when genuine supporters visited the site post-announcement, they were unable to provide their e-mail address for further updates. While this is an availability risk in the information domain, it easily gets converted into brand tune-out or turn-off if the service continues to be unavailable. A similar risk stems from the time interval between the trailer and the final release. In digital time, months of wait are akin to psychological years, which may be just too long. There is also collateral damage to an associate brand (in this case Sony) who will definitely face the flack for a less-than-spectacular digital experience (if that were the case).

The final example stems from some solid action that Facebook took against opportunistic brands in India aided by their digital marketing or advertising agencies. The gist of the incident is that certain brands hosted promotions that violated Facebook's guidelines, in an effort to bolster the number of "Likes" or fans. Online platforms such as Facebook's have made it very easy for almost anybody and everybody to try their hands at digital marketing or advertising. By virtue of a platform, producing presence becomes almost like "plug n play" - and therein lies the risk. When major brands such as Cadbury's, FCUK, and Pizza Hut, start to delegate the online management of their brand to amateurs (internal or external), they not only expose their lack of appreciation for digital media but also bring on compliance risk. After all, who has the time to read all the fine print in official guidelines or terms and conditions documents? For all the bashing that bureaucracy gets, it may just have mitigated the risk of having a social networking site (of all entities) takedown your online brand. There may have been someone to wave the red flag and recommend due diligence. Is this what multi-billion dollar brands waited for i.e a sub-10 year old dot.com slapping them on the wrist for bad online behavior?

Risk of mismatch and Raspberry Pi!

In a previous post, I discussed some of the social risks of technology replacing jobs that are done by human beings; more specifically, aggregation of technology possibly making thousands of jobs redundant into say, just hundreds. According to some recent reading it turns out that there is a variety of mismatches in the job market - at least in the US. One NPR blog discusses the skills mismatch caused by baby boomers who are retiring from "older" industries such as manufacturing, utilities, and agriculture, thus creating 2 million vacancies for which enough people cannot be found. While you can read the original writeup, part of the argument is that with the large number of college-educated folk, talent supply in the job market is over-qualified and not vocational enough to perform these jobs. This leads to a serious moral dilemma, wherein the ideal has been to promote college education and further oneself; however, the grim reality is that there are lots of "other" jobs that don't really need that 4-year college degree. 

At the other end of the spectrum are the sophisticated, high-tech, computing, and software companies that are complaining about the lack of computer science talent. There are scores of articles, reports, and commentary about the shortage of graduates with the skills to write code or do computer programming. And this is not just in the US - it has motivated one games developer in the UK to prototype a mini-computer called the Raspberry Pi to help children understand the computing process and perhaps even pick up some compsci skills!