Changing Risk and Technological Change

I am rather cynical about most articles I read on Horizon Scanning and business continuity so I quite understand if you regard this article in a similar way. However, having written recently about the transformative power of technology and how this is accelerating (see earlier blog titled Thinking Ahead), we started to think about what this means in terms of new risks.

So, just to get you thinking, here are 3 developing risks:

  1. Self-drive cars are already being actively tested and are being driven on our roads.  I wonder if anyone has considered the possibilities from the point of view of a terrorist? Take one “Google Car” and ask it to transport your suitcase full of explosives to Canary Wharf and wait for someone. Of course the someone does not come and the remotely transported bomb explodes.  I am sure that you can think of many variations on this theme.
  2. Drones can be used for peaceful purposes such as delivering goods in remote areas.  However these could also be asked to carry explosives or smuggle drugs. Indeed, it does not take much imagination to envisage flying a small drone into a high office window where it explodes to kill its target.
  3. Space weather has received a great deal of coverage recently. How about space junk?  The early space exploration has left a great deal of material orbiting the Earth where it occasionally causes problems, such as when an operational US satellite collided with an older and defunct Russian unit. The prospect of losing key weather satellites which provide the early warning for Hurricanes and other severe weather is not trivial, any more than losing communications or GPS satellites. We on the ground increasingly rely on the services provided from space and it would be disappointing indeed to lose such services owing to a collision with space junk.

Risks continue to evolve and whilst these new issues present themselves, we should remember that other risks decline too. As technological change accelerates the real challenge is to direct our attention to the risks that can really threaten our business and to distinguish these signals from the increasing amount of noise.

    PC vulnerability, Operating System and Country Differences

    We are all frequently urged to protect our PCs against Malware but it is not always easy to quantify the benefits of doing so. After all, if I have no infections on my PC, is it because of the software I have installed or is it just that there was no malware threat. Fortunately some recent research can quantify some of the differences.

    A study by Microsoft used data from over a billion systems worldwide and showed that systems that do not have up-to-date Anti-Virus protection are 5.5 times more likely to be infected with malware than systems that are protected. This means that 270 million systems worldwide did not have up-to-date AV installed in the second half of 2012. Remarkable given that reasonably effective software is available for free.

    There are other clear lessons that emerge from this analysis. Windows 7 is more secure than Windows Vista and this is much more secure than Windows XP. 64-bit systems are more secure than 32 bit systems. So if you are still running XP – whether in your office or at home – it's time to move on. Windows 8 seems more secure still but this is possibly distorted by the fact that this is relatively new OS and fewer attacks are being designed against it. So XP machines running SP3 had an infection rate of 4.2 per thousand, whilst Windows 7 64 bit was at 1.2 – unprotected XP machines were at 15.6. So there is an enormous difference between protected and unprotected machines, and different OS offer different levels of protection too.

    There are huge differences between countries with Pakistan and Georgia both standing out with around 100 out of every 1000 unprotected PCs being infected. Rates of protection and infection vary enormously from country to country and so business travellers should be very aware of these differences and ensure that they are protecting their PCs accordingly.

    Two key things emerge:

    1. Ensure that up to data AV protection is installed on all devices, at home and at work;

    2. If you are running XP, it is time to move on to a more secure OS.

    You can read more about Microsoft's findings at http://bit.ly/18vsHsR

    Guest Blog: Auditing Business Continuity

    This week we have a guest Blog written by Glenn Smith. In this Glenn gives some insight into auditing using his considerable experience of auditing against ISO 27001, ISO 22301, ISO 14001 and ISO 9001. Over to Glenn:

    Most of us have heard the word audit but do we really understand what the objectives and benefits of an audit are?

    To start with let us define an audit

    'an audit is an evaluation of a person, organization, system, process, enterprise, project or product against a product or performance specification, sets of rules or an agreed or approved way of doing thing'

    So why go to all that effort and audit?

    1. Certification requirement. If you have or need to have an accreditation to a British standard (BS), International Standard (ISO) or other national standard, then the requirement to complete an audit of your performance against the criteria set out in the Standard will be obligatory. This will be particularly true of any management standard.
    2. Other regulatory or governance requirement. Here the need to audit may not be part of the requirement, however, knowing that you are compliant with your regulators, stakeholders or even customer's requirements to complete business could be a key success factor. The last people you want to be aware of any failings are those that keep you in business.
    3. Audits should be considered as part of a management system i.e. not to be thought of in isolation and a chore to be completed. They are an independent review of the organisation's current performance against the agreed criteria. Whether using an internal resource or external the audit should be an objective unbiased review.
    4. Using the third party the audit process gives you access to industry/sector expertise.

    So what's an audit really consist of?

    Firstly it has to have a purpose, check against compliance, gap analysis against a standard, check for improvement.....within that purpose then each audit should have a scope i.e. how much of the organisation is being looking at and a set of defined objectives.

    Audits should also be planned. Typically –

    • An opening meeting with all the players, inc senior management, to explain the audit, the process and outcomes
    • Overview meeting with senior management
    • Documentation review
    • Interviewees with key players
    • Walk about including talks to other players as found
    • Conclusion meeting to confirm audit results

    To benefit the organization, an internal audit service needs to be professional and provide real value to an organisation. Its aim is to help ensure that the entity continues to meet the requirements of the standard/regulation/governance/stakeholder or customer need, and most importantly that the management systems really do benefit the organisation and that they are not seen as a bureaucratic overhead. This is done this by using auditors who understand how a business works, the Standard, industry requirements, being pragmatic and how a management system can support a business.

    Using Standards, supported by audit allows companies to publically demonstrate the quality of what they do and deliver to their customers; and internally help to embed best practice into an organization of any size.

    Look on auditing as an opportunity to learn and improve your business, not a test of what you can get away with!

    Odd Events

    A couple of news stories have made me pause and take note this week. One is currently still running at the time of writing, a BA aircraft with an engine fire which has closed both runways at Heathrow, so we will see what lessons may emerge from that subsequently.

    The other stories which gave me pause related to Belper in Derbyshire and Stockholm in Sweden, and in both cases it was the dissonance between my perception and the reality of the new item. Let us start with Belper in Derbyshire, a small town in the Midlands which grew during the industrial revolution as a Mill Town, home of the 2nd ever water powered cotton mill. A prosperous place during the Victorian era it is now a pleasant post-industrial town of 20,000 or so. Thornton's chocolates were made here for many years but they moved to a new site in the 1990s and since then Tesco decided to re-develop the site for a new supermarket. Which is where the story gets interesting.

    Tesco have been opposed in a number of towns as it is felt that they destroy the local retail trade and take people out of the town centres. This is the case in Belper, where an action group has been opposing Tesco's plans since 2007. On Friday May 10th there was a major explosion at the proposed site and this was followed by a fire. The explosion resulted in a large plume of smoke and dust that forced traffic to stop, and it has been confirmed that the explosion resulted in a release of white asbestos. You can read the local paper's coverage here. It seems that opposition to the Tesco supermarket has turned to direct and violent action – not exactly what one might expect in quiet Midlands town. This story does emphasise the need to be vigilant about neighbouring premises and what activities they may attract as well as what they do themselves. Something that should be reflected in your risk assessment.

    The second story was similar in that the combination of the incident and the place seemed oddly different from one's expectations. "Riots in Stockholm After Shooting" said the headline. In Stockholm? Riots? The article went on: "Rioting youth torched cars and fought police in a Stockholm suburb into the early hours of Monday, injuring four police officers and causing substantial damage to property. A total of about 50 cars were damaged in the fire, which forced a temporary the evacuation of a nearby residential building." It seems that there were protests which turned violent, following the shooting of a 69 year old man armed with a knife by police. There is some echo of the London riots here, which started with the shooting of an armed criminal.

    The lesson here is to remember that both these events are relatively rare but that you should not simply assume that such things don't happen in Belper/Stockholm/near us, and that you should consider the impact upon you as well as the likelihood of such events. Low likelihood and high impact events should be part of your risk assessment and be considered as part of your strategy, and these scenarios are also useful in informing the exercising that you undertake.

    Thinking Ahead: The 2nd Half of the Chessboard

    There is a story that the inventor of chess was offered the chance to name his reward by the ruler of his country (Persia or India – the origins are imprecise) he chose to have a single grain of rice on the first square of the chessboard, 2 on the 2end square and 4 on the next and so on doubling each time. By the time you are halfway across the square, the rice amounts to about 100,000 kg, a large amount indeed. However, the rice on the 2nd half of the chessboard rapidly rises to a pile higher than Everest and more than 1,000 times annual global rice production. Indeed the 1st square of the 2nd half of the chessboard contains more rice than all of the 1st half of the board.

    Technology has already transformed our lives in many ways. I remember the IBM engineers carrying their mobile phones. It came in a case and weighed several kilos. Now, many of us have smart phones that do a wondrous selection of things that was unimaginable even 10 years ago. I once worked in a "Computer Department" and now computers are everywhere, indeed that smart phone has more computer power, memory and storage than the mainframe computer that used to run all our banking systems when I started work.

    But this is only the beginning of the computer age. What is about to happen may be even more mind boggling than what has already occurred. Moore's Law states that computing power doubles every 2 years and this has remained true since the observation was first made in 1965. This is often quoted but little thought about. This means that the computing power available in 2015 will be double that of this year, and by 2017 doubled again and so on. We are on that chessboard, and now we are starting to enter the 2nd half of the chessboard.

    What does this mean in practice? One thing it means is great uncertainty as it becomes increasingly difficult to keep abreast of the technical changes and the technological impacts of these changes. Let us consider the mobile phone again. I have already seen working devices that no longer come in the form of a handset. An ear piece and a lapel mike are linked wirelessly to the transmitter/receiver in a pocket. You can speak to the device to make calls, and use a keyboard displayed by a mini-projector onto your hand if you need to make calls or send text messages. The mobile phone as we currently know it, will disappear. That's significant if you are Samsung, Apple and the like.

    What about cars? Self-drive cars are already under trial and are sharing roads with real drivers. So why not self-drive delivery vehicles? You simply load the vehicle, programme its destination and away it goes. What implications does this have? White van man, lorry drivers, courier services could all be shedding large numbers of jobs. What are the legal implications if there is an accident? What contingency plans should the operator have for failures such as GPS being affected by a Coronal Mass Ejection from the sun (see previous blogs)? When the vehicle arrives at its destination, does a robot then carry the goods to the householder?

    Well, we cannot be certain about these changes, but we can say that they will challenge every part of our lives and in ways that we cannot yet envisage. So next time someone talks to you about horizon scanning, think about this: we are just entering the 2nd half of the chessboard.

    Resilient Cities, John Snow and Mapping

    An exhibition has opened in London to celebrate 200 years since the birth of John Snow (1813-1858). A man who's name is more recently associated with a famous English fast bowler and a current TV News reader, John Snow was famous in his own time for pioneering anesthesia. He was the first to be appointed to attend Queen Victoria, wrote the first text book on anesthesia and pioneered the first inhalator.

    For those of us with an interest in resilient cities, his fame relates to his work on Cholera. In Victorian London, Cholera was a terrifying disease that swept through the population from time to time. You could feel sick in the morning and be dead by nightfall, and there was no effective medical intervention. Its cause was thought to be through air borne transmission related to the foul smells of the developing City. It was recently described as the AIDS, H5N1 and Corona virus all combined and of its day.

    In 1854 a further outbreak occurred in Soho and this is where John Snow enters the story. He mapped the disease in Soho and a similar outbreak in South London. He concluded that this was water borne and not air borne, and that the source of the outbreak was the pump from which everyone obtained their water. He is famous for saying that the outbreak could be stopped by removing the handle. Now this was done, despite understandable opposition from those deprived of their source of fresh water, and the disease duly halted.

    This story was related at Snow's funeral by his good friend and in 1883 the bacteria were discovered in water that caused this disease, final proof of John Snow's theory. When the US needed a text book to start their work on public health, the book started with the story of John Snow.

    To this day, the basics of John Snow's argument are still key to building resilient cities – i.e. clean water and clean housing. London still benefits from the Victorian sewers and clean water that transformed public health more than anything before or since. But it is a story and whilst the key facts are correct, the reality is more complicated and complex with many more actors involved. Nonetheless, we should celebrate John Snow for what he was and did achieve and take him to represent the many others that also contributed. You can learn more by attending the exhibition featuring his original maps at the London School of Tropical Medicine (see http://bit.ly/12LoMI1) and having a drink in the John Snow pub at 39 Broadwick Street, London, W1F 9QJ, outside of which is a pink slab that marks the location of the pump whose handle was so famously removed.