"That no free government, nor the blessings of liberty, can be preserved to any people, but by a firm adherence to justice, moderation, temperance, frugality, and virtue; by frequent recurrence to fundamental principles; and by the recognition by all citizens that they have duties as well as rights, and that such rights cannot be enjoyed save in a society where law is respected and due process is observed.”                -- George Mason

Most Septembers, I write here about 9/11, a day where nearly 3,000 people died at the hands of foreign terrorists -- surely a day that will never be forgotten in our nation’s history. I use this month to press for four recommendations from the 9/ll Commission Report that have yet to be implemented 20+ years later. This year, I’d like to use my time to salute the courageous members of New York City’s fire and police departments who died or were injured on the job, as well as emergency medical technicians and emergency room personnel in Manhattan hospitals who cared for those who survived or who were injured while helping others that day.

Setting aside the political landscape for a moment, it’s been a whirlwind of a month. There have been incidents that look like repeated examples of the same old challenges – the search for a permanent ceasefire in the Mideast, watching Ukraine struggle valiantly against Russian aggression, and what NOAA calls “an early and violent start” to the 2024 Atlantic hurricane season, illustrated by Hurricane Beryl and Tropical Storm Debby. These have been interspersed with newer infrastructure challenges like getting the two astronauts in the Boeing Starliner home from space and hardening obvious attack surfaces from aggressors, whether the victim is Microsoft, entire judicial districts, or the former president. 

Twice in my long and varied career I stepped away from structured institutions to build unconventional business models. The first was Delphi Computers & Peripherals (1984-1999), early in the PC technology evolution that we all take for granted now. I learned a great deal from the experience, hired an amazing staff, won a number of awards, and grew Delphi to a multimillion dollar company.

This country has experienced chaos since it was founded. It was born out of a belief that there was a form of government that could be organized out of the consent of the governed, different than a monarchy, where the peoples’ rights were not acknowledged or protected.

As we see repeatedly in reports of current events, a workplace’s culture is often at the heart of ethical and regulatory misconduct. Corporate leaders are grappling with strategies to win back market share and deliver profits to the bottom line. In eliminating or downsizing groups inside an organization, a certain amount of institutional memory gets lost – and governance models are rarely reworked to reflect the new reality. While some processes to identify, report, and repair misconduct are operational because of the role of government regulatory oversight, most companies struggle with how to identify problems early and create a more transparent workplace where “speaking up” is expected.

The corporate paperwork that created my firm was filed in May of 2009. We spent a few months designing the ASA website as a vehicle visitors could use to understand our services and serve as a research library for publications we would create. Though our primary focus would be on operational risks to the nation’s critical infrastructure sectors, our mandate included ethics reviews, policy recommendations, and improvement of existing laws – with a special focus on six key sectors: banking and finance, IT, energy, communications, public health, and emergency services.

For the last 40 years, across multiple work engagements, I’ve observed unequal treatment and advancement of women in technology or related fields. I have been part of women’s technology groups advocating a more level playing field, such as the Executive Women’s Forum and the International Network of Women in Emergency Management and Homeland Security. At Washington Mutual overseeing specialized groups, I made hiring women in technical positions a priority and oversaw a mix of technical groups, ranging from business intelligence to vendor security management, from technology audit and compliance to crisis and event management, from root cause analysis to technology change management.

I was thrilled to be the first expert interviewed by Sean Costigan in Red Sift’s new podcast series, “Resilience Rising,” available on Spotify. We covered a lot of ground, looking at firms like Wells Fargo, Boeing, Theranos, and JPMorgan Chase. I had written about much of what we discussed in 2017 in an article for Risk Universe magazine called “Executives and Risk: What Your Teams Won’t Tell You.”  I am reusing some of that material here, adding more recent assessments and a modest proposal.

Like practitioners in other disciplines that continue to evolve in a complex technological world, the maturity of risk managers varies widely. In recovering from the 2008 financial crisis, we’ve seen corporate managers rebrand themselves into this field or get promoted into it without necessarily understanding risk frameworks or methodologies.  There is a great deal of variation in the maturity of risk programs in large firms and in where such programs are housed organizationally.

When failures occur in risk management, they are almost always a directly tied to the Basel Consortium definition of the four elements of operational risk – “the risk of loss or failure” from people, from processes, from systems or from external events.

Though it is the Chief Executive Officer (CEO) we usually see testifying in front of Congressional Committees, I would argue that CEOs are often the last to know what has gone wrong in their firms. The larger the company, the greater the level of complexity. Auditors and regulators frequently have a poor understanding of technology or services that are based on new innovations. High speed trading instruments, artificial intelligence, cryptocurrencies, and cyber resilience all are rapidly evolving areas of competitive advantage, not usually subject to in depth audit and compliance protocols in their early days except as broad concept explanations. Even if a risk is elevated, it may not yet constitute a compliance issue. The forms of reporting at early stages of what might be a very risky project make it almost impossible for the CEO to ask the right questions of the team.  So where is the information bottleneck?

Boards hire CEOs who have certain characteristics, according to nearly every piece of literature that describes what makes a good CEO.  Experience counts, but because of privacy protections, liability issues, and complex exit agreements with former employers, recruiters for the new firm are probably not aware of issues or remediation plans that a candidate may have experienced in previous engagements. Extreme self-confidence can go a long way in the boardroom. Most C-suite executives have made their reputations with bold decisions and taking a significant amount of risk.

Most leadership books and articles also offer the same advice where delegation of responsibilities to a senior management team is concerned – even though the CEO is still held accountable for gross outcomes. The leader is both a receiver and an evaluator of information shared, rather than a do-er, or a hands-on shaper of the information.  Here’s where the quandary begins:  in the charged atmosphere of executive decision-making, where anywhere from five to fifteen consequential decisions get made daily, it is easier to accept the information reported than to question it, especially at the executive level. Bonuses in the form of stock or cash make it easier to turn a blind eye to risks that are not completely mitigated, or to control gaps that are reported blandly.

If we follow the bad news from the original identification of the failure, we see that, as we go up the reporting chain, the information becomes increasingly more sanitized from manager to more senior manager; and that the information flow among the three lines of defense begin to fray as well.  Financial loss at the enterprise level is often the story of an executive or a manager gone wrong, concealing the true impact of a problem in order to protect bonuses and jobs.  Boards of directors can only ask hard questions if they get useful reports.

I’ve spent this column’s time on people risk because it seems to me to be the type we read the most about, and wonder each time why it keeps happening.  Though risk officers and cybersecurity officers are fired often enough, very rarely do CEOs lose their jobs or spend time in jail. It seems time to re-examine the set of corporate policies and guidelines for publicly traded companies created after the Enron scandal. Of the list of different firms I referenced at the beginning of this column, only the Theranos CEO is spending time in prison. Should there be a framework for boards of directors to use to determine under what conditions they meet to determine if it is time to fire the CEO rather than negotiate fat severance packages? Could the U.S. Securities & Exchange Commission create a rule that says to boards of directors, “Under the following set of conditions specified herewith, boards of directors are obliged to consider whether or not the Chief Executive Officer shall be removed and replaced?” 

For analysis of how to select reputable and qualified board members who might have valuable outside perspective during an operational risk failure, see my report, “Ensuring An Ethical Lens on the Board Member Selection Process,” published in 2022 by the Board Risk Committee

As we move toward a November presidential election, there seem to be more critical issues that involve critical infrastructure around the world—two ground wars, one in Ukraine and the other in the Mideast, each of which includes sophisticated technology as well. Research being conducted to test the prospect of nuclear war conducted from space, which means massive investments in such research here as well. And increased tensions with both China and Iran.