For the last 40 years, across multiple work engagements, I’ve observed unequal treatment and advancement of women in technology or related fields. I have been part of women’s technology groups advocating a more level playing field, such as the Executive Women’s Forum and the International Network of Women in Emergency Management and Homeland Security. At Washington Mutual overseeing specialized groups, I made hiring women in technical positions a priority and oversaw a mix of technical groups, ranging from business intelligence to vendor security management, from technology audit and compliance to crisis and event management, from root cause analysis to technology change management.

I was thrilled to be the first expert interviewed by Sean Costigan in Red Sift’s new podcast series, “Resilience Rising,” available on Spotify. We covered a lot of ground, looking at firms like Wells Fargo, Boeing, Theranos, and JPMorgan Chase. I had written about much of what we discussed in 2017 in an article for Risk Universe magazine called “Executives and Risk: What Your Teams Won’t Tell You.”  I am reusing some of that material here, adding more recent assessments and a modest proposal.

Like practitioners in other disciplines that continue to evolve in a complex technological world, the maturity of risk managers varies widely. In recovering from the 2008 financial crisis, we’ve seen corporate managers rebrand themselves into this field or get promoted into it without necessarily understanding risk frameworks or methodologies.  There is a great deal of variation in the maturity of risk programs in large firms and in where such programs are housed organizationally.

When failures occur in risk management, they are almost always a directly tied to the Basel Consortium definition of the four elements of operational risk – “the risk of loss or failure” from people, from processes, from systems or from external events.

Though it is the Chief Executive Officer (CEO) we usually see testifying in front of Congressional Committees, I would argue that CEOs are often the last to know what has gone wrong in their firms. The larger the company, the greater the level of complexity. Auditors and regulators frequently have a poor understanding of technology or services that are based on new innovations. High speed trading instruments, artificial intelligence, cryptocurrencies, and cyber resilience all are rapidly evolving areas of competitive advantage, not usually subject to in depth audit and compliance protocols in their early days except as broad concept explanations. Even if a risk is elevated, it may not yet constitute a compliance issue. The forms of reporting at early stages of what might be a very risky project make it almost impossible for the CEO to ask the right questions of the team.  So where is the information bottleneck?

Boards hire CEOs who have certain characteristics, according to nearly every piece of literature that describes what makes a good CEO.  Experience counts, but because of privacy protections, liability issues, and complex exit agreements with former employers, recruiters for the new firm are probably not aware of issues or remediation plans that a candidate may have experienced in previous engagements. Extreme self-confidence can go a long way in the boardroom. Most C-suite executives have made their reputations with bold decisions and taking a significant amount of risk.

Most leadership books and articles also offer the same advice where delegation of responsibilities to a senior management team is concerned – even though the CEO is still held accountable for gross outcomes. The leader is both a receiver and an evaluator of information shared, rather than a do-er, or a hands-on shaper of the information.  Here’s where the quandary begins:  in the charged atmosphere of executive decision-making, where anywhere from five to fifteen consequential decisions get made daily, it is easier to accept the information reported than to question it, especially at the executive level. Bonuses in the form of stock or cash make it easier to turn a blind eye to risks that are not completely mitigated, or to control gaps that are reported blandly.

If we follow the bad news from the original identification of the failure, we see that, as we go up the reporting chain, the information becomes increasingly more sanitized from manager to more senior manager; and that the information flow among the three lines of defense begin to fray as well.  Financial loss at the enterprise level is often the story of an executive or a manager gone wrong, concealing the true impact of a problem in order to protect bonuses and jobs.  Boards of directors can only ask hard questions if they get useful reports.

I’ve spent this column’s time on people risk because it seems to me to be the type we read the most about, and wonder each time why it keeps happening.  Though risk officers and cybersecurity officers are fired often enough, very rarely do CEOs lose their jobs or spend time in jail. It seems time to re-examine the set of corporate policies and guidelines for publicly traded companies created after the Enron scandal. Of the list of different firms I referenced at the beginning of this column, only the Theranos CEO is spending time in prison. Should there be a framework for boards of directors to use to determine under what conditions they meet to determine if it is time to fire the CEO rather than negotiate fat severance packages? Could the U.S. Securities & Exchange Commission create a rule that says to boards of directors, “Under the following set of conditions specified herewith, boards of directors are obliged to consider whether or not the Chief Executive Officer shall be removed and replaced?” 

For analysis of how to select reputable and qualified board members who might have valuable outside perspective during an operational risk failure, see my report, “Ensuring An Ethical Lens on the Board Member Selection Process,” published in 2022 by the Board Risk Committee

As we move toward a November presidential election, there seem to be more critical issues that involve critical infrastructure around the world—two ground wars, one in Ukraine and the other in the Mideast, each of which includes sophisticated technology as well. Research being conducted to test the prospect of nuclear war conducted from space, which means massive investments in such research here as well. And increased tensions with both China and Iran. 

Welcome to 2024. Most of us are recovering from unusually harsh weather this weekend. The weather seems to correlate to some man-made events that are garnering a significant amount of editorial coverage. I will add to the coverage of the Boeing airplane door plug blowout. I should note that I have written several times about the Boeing 737 MAX culture, sales and training on its models, third-party vendors, and the lack of comprehensive regulatory oversight. To draw my conclusions and recommendations today, I’ve relied on articles by Dominic Gates of the Seattle Times (“Boeing’s Reputation Hits More Turbulence”), a Wall Street Journal article by Sharon Terlep and Andrew Tangel (“This Has Been Going on for Years”), a New York Times piece by Peter Coy (“The Scariest Part About the Boeing 737 Max 9 Blowout”), and a well-balanced analysis by syndicated columnist Zeynep Tufekci (“Two recent aviation incidents show the importance of regulation, training, expertise, effort and improvement of infrastructure, as well as professionalism and heroism”).

Looking back, we understand that the books we read as children may have glorified or misrepresented certain aspects of life in earlier times. Thanksgiving is the easiest example that comes to mind, where a story was woven over grim facts to make a pleasing explanation. But when I think back to grade school, it’s the biographies of famous people that made the most significant impression on me. Most of them showed us exemplary decision-making at crucial inflection points. Though I read biographies of Frederick Douglass, Sitting Bull, Jesse Owens, and Geronimo, I was taken by biographies of amazing women – Elizabeth Blackwell, Jane Addams, Maria Tallchief, Althea Gibson, Elizabeth Cady Stanton, Marian Anderson, and others. You could say that most of them had to experience painful struggles to get to that astonishing right thing to do, and that is probably why we remember their stories. 

No matter where we look, we find ourselves exhausted and pained by a range of situations in the world today. We hesitate to speak about the most volatile because there might be unintended consequences. Thinking about such matters can cause us to loose our mental bearings as we find ourselves on different sides of the questions the situations raise. I thought I would try to offer some tried and true advice about how to navigate the world at this time.

We seem to be surrounded by discord and impasses, both online and in the real world.  Whether it’s the insidious spread of disinformation in our current political climate, our inability to find workable solutions for homelessness or at our borders,  the impact that COVID has had on our society, or another hurricane or heat wave, we have lost confidence in our ability to manage daily conditions on the ground or to know which challenges are worth spending the time on to plan.

Tomorrow I’m doing a live one-hour broadcast with questions from the audience interspersed with questions from the host, EXP Technical’s Kelly Paletta.  The webinar is advertised as a look at risk and emerging cyber threats.  I’m anxious to see how the questions align with some of the ASA areas for investigation in the future.·       

Twenty-two years later, the sounds and images of that day reverberate. The 19-acre complex of buildings called the World Trade Center, considered to be the heart of the financial sector, was forever changed.

Many of you have already suspected that retirement from the fields of operational risk, governance, cybersecurity, or information ethics, policy, and law is just not in the cards for me. I am trying to manage myself and ASA by working fewer hours, but the world continues to present us with unprecedented challenges.