T H E  R I S K  C O M M U N I C A T O R

The Monthly Newsletter of the
Security Analysis and Risk Management Association
June 2011
SARMA Logo 5-Year - NoLtr
In This Issue
Registration Open for SARMA's 5th Annual Conference in September
CIP/HS Graduate Studies Survey
Talbot: On High Reliability Organizations
Reports: Nuclear Terrorism Assessment, Intelligence and Budget Constraints, and More
Thanks to our Silver-Level Corporate Patron

ABS Logo
Need Your Own Copy of The Risk Communicator?
Join Our Mailing List
Write for Us
Have you seen a story you would like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact the newsletter staff at newsletter@sarma.org.
Get Involved, Get More from SARMA
SARMA Website
SARMApedia
Volunteer to Serve
Feedback/Input
Join SARMA
Legal Matters
Copyright 2011
SARMA
All Rights Reserved

Privacy Policy

The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
President's Corner

Dear Fellow SARMA Members,

As we enter the summer months, I am pleased to announce that SARMA has reached a significant milestone in its young life -- five years of service to the security risk community. We will celebrate this achievement in many ways over the coming months, starting with the introduction of a special commemorative logo (see below) that will be our official symbol for the next 12 months.
SARMA Logo 5-Year - HiRes
Another highlight of the year will be the 5th Annual Conference on Security Analysis and Risk Management. Hard to believe, but the conference is less than three months away! Our Conferences & Events Committee has been doing yeoman's work in preparation, and I am pleased to announce that registration is now open through the SARMA conference website. All the details can be found below.

As many of you know, we also hold our annual meeting and Board of Directors election in conjunction with the annual conference. This year, SARMA is seeking qualified nominees to fill five seats. We invite you to consider nominating a member in good standing with the association who would be willing to represent the interests of their colleagues in the profession.

Duties and responsibilities of elected Directors include:
  • The SARMA Board of Directors has general responsibility for the business affairs of SARMA and defines the direction and policies to be carried out in accordance with the purposes and goals as set forth in SARMA's bylaws.
  • Members elected to the Board are expected to attend, either in person or by phone, at least three of the four quarterly meetings each year. Board meetings are typically held in the Washington, DC metropolitan area and range from 2-4 hours each. When possible, attendance in person is preferred.
  • Members are also expected to participate in e-mail discussions and occasional conference calls on specific topics of importance throughout their term of office.
  • Board members also typically serve as a chairperson or member of one or more of SARMA's 16 committees, which are essential to the success of the association and its mission. 
To read more about the nominating process and requirements, please view the SARMA Nominating Committee's official call for candidates. All nominations for the SARMA Board of Directors must be received by SARMA and/or postmarked by midnight, July 31, 2011 to be considered for this year's elections.  

Similarly, the annual conference provides an opportunity to recognize outstanding contributions to the security risk management profession and SARMA. In that regard, we invite you to nominate an individual or individuals who meet the criteria for one of the following awards:

Excellence in Public Service Award
  • Purpose: To recognize an individual or individuals who have strongly and consistently championed security risk management principles and practices in government, and whose actions have had an important impact on the way security risk management is implemented in the public sector.
Edward J. Jopeck Founder's Award
  • Purpose: To recognize an individual or individuals who have made a significant and lasting contribution to the security risk management profession. 
SARMA Service Award
  • Purpose: To recognize an individual or individuals who have made an outstanding contribution to SARMA's success.
To read more about the nominating process and requirements, please view the SARMA Awards Committee's official call for nominations. As with nominations for the SARMA Board of Directors, all award nominations must be received by SARMA and/or postmarked by midnight, July 31, 2011 to be considered.  

Finally, while the progress to date has been excellent, the Conference Committee tells me there is always more that could be accomplished with additional volunteers. To find out how you could assist in conference planning, or provide on-site support during the conference, please contact our Conference Coordinator, Mary Miller, at conference@sarma.org.

My best,

Kerry


Kerry L. Thomas
President

 

Events
Registration is Open for the 5th Annual Conference!
Registration for SARMA's 5th Annual Conference is now open, and a discounted Early-Bird rate is in effect until Friday, July 15.

Scheduled to run from September 13-15, 2011 in Arlington, Virginia, this year's conference is being co-hosted by the George Mason University School of Law's Center for Infrastructure Protection and Homeland Security (CIP/HS). On Tuesday September 13 SARMA will also host its annual Evening Welcome Reception.

The two-and-a-half-day conference will feature over 50 speakers and dozens of presentations and panel discussions focused on the following subjects:
  • Community Risk
  • Critical Infrastructure Risk
  • Cybersecurity Risk
  • Public Policy for Risk Management
  • Risk Education and Training
  • Risk Management Standards
  • Security Risk Methodologies and Practices

Fee Schedule:


General Registration - $495

Early-Bird Rate - $425 if registered by July 15


Government/Academic Registration - $375

Early-Bird Rate - $300 if registered by July 15


Student Registration - $75 (full-time student ID required)

Evening Welcome Reception - $60

-----


This year's conference will take place in a beautiful new building on GMU's Arlington campus known as Founders Hall (photo below).Founder's Hall

The conference starts at 8:30 AM on Tuesday, September 13 and runs until 12:30 PM on Thursday, September 15. The Evening Welcome Reception will be held from 5:30 to 7:00 PM on Tuesday. 
 
We expect to have approximately 60 expert speakers over the two-and-a-half-day conference, and although the deadline for early consideration of abstracts has passed, there are still some speaking slots available. If you or someone you know is interested in speaking, please download and fill out our speaker application form (which can be found on the SARMA website here), and email it to the conference planning team at conference@sarma.org as soon as possible.

Please click here for the conference summary page and here for the invitation page.

The registration page is here.

We look forward to seeing you at the annual conference in September!


Surveys

CIP/HS Graduate Study Survey


The Center for Infrastructure Protection and Homeland Security at George Mason University's School of Law (CIP/HS), in support of the Department of Homeland Security, recently completed the development of several graduate-level courses in critical infrastructure protection that will become part of a comprehensive and unified approach to homeland security education. CIP/HS is conducting a brief survey regarding the demand for and implementation of these new graduate courses in critical infrastructure protection. The survey contains only 10 questions that should take no more than five minutes to fill out -- and will provide valuable input. 
 
To participate in the survey, simply click here.

CIP/HS and SARMA appreciate your time and thank you in advance for participating.

Analysis

Lessons from High Reliability Organizations (HROs)

by Julian Talbot

Some of the best research in the area of risk management comes from studies in an area known as high reliability organizations (HROs). HROs include organizations such as nuclear power plants, aircraft carriers and air traffic control systems. These organizations are notable, according to Gene Rochlin, because they "have not just failed to fail; they have actively managed to avoid failures in an environment rich with the potential for error." That ability to actively and reliably manage to reduce the chances of mistakes occurring, rather than to avoid the hazards, has been the distinguishing hallmark of most HROs and their experiences offer many lessons for the application of risk management at the enterprise level.

Work by Karl Weick and Kathleen Sutcliffe suggests that five key elements contribute to what they describes as a state of "mindfulness":
  • Preoccupation with failure
  • Reluctance to simplify interpretations
  • Sensitivity to operations
  • Commitment to resilience
  • Deference to expertise
At first glance, many of these processes appear to be self-defeating on multiple levels. But, as Weick and Sutcliffe explain, the processes are necessary if a high reliability organization is to be successful.

Preoccupation with failure
HROs, like most organizations, celebrate their successes, but Weick and Sutcliffe also note "a chronic worry in HROs is that analytic error is embedded in ongoing activities and that unexpected failure modes and limitations of foresight may amplify those analytic errors."

Reluctance to simplify interpretations
Most organizations are happy to handle complex issues by simplifying them and categorizing them, thus ignoring certain aspects. HROs, however take nothing for granted and support cultures that attempt to suppress simplification because it limits their ability to envision all possible undesirable effects as well as the precautions necessary to avoid these effects. HROs pay attention to detail and actively seek to know what they don't know. They endeavor to uncover those things that might disconfirm their intuitions despite being unpleasant, uncertain or disputed. Skepticism is also deemed necessary to counteract the complacency that many typical organizational management systems foster.

Sensitivity to operations
Weick and Sutcliffe describe sensitivity to operations as pointing to "an ongoing concern with the unexpected. Unexpected events usually originate in 'latent failures' which are loopholes in the system's defenses, barriers and safeguards whose potential existed for some time prior to the onset of the accident sequence, though usually without any obvious bad effect."

Management focus at all levels offers opportunities to learn about deficiencies that could signal the development of undesirable or unexpected events before they become incidents. HROs recognize each potential near-miss or "out of course" event as offering a "window on the health of the system" -- if the organization is sensitive to its own operations.

Commitment to resilience
HROs develop capabilities to detect, contain and bounce back from those inevitable errors that are a part of an indeterminate world. The hallmark of an HRO is not that it does not experience incidents but that those incidents don't disable it. Resilience involves a process of improvising workarounds that keep the system functioning and of keeping errors small in the first place.

Deference to expertise
HROs put a premium on experts: personnel with deep experience, skills of recombination and training. They cultivate diversity, not just because it helps them notice more in complex environments, but also because rigid hierarchies have their own special vulnerability to error. As highlighted by the work of James Reason and HFACs, errors at higher levels tend to pick up and combine with errors at lower levels, exposing an organization to further escalation.

HROs consciously evoke the fundamental principle of risk management: that "risk should be managed at the point at which it occurs." That is where you will find the expertise and experience to make the required decisions quickly and correctly, regardless of rank or title.

Unfortunately most organizations do not work at this level, preferring to manage risk through the introduction of standard operating procedures, policy and work instructions. While these undoubtedly have their place, and can help people to make quick and consistent decisions, a significant body of research also indicates that the blanket application of these controls can reduce individuals' "mindfulness" and personal responsibility, thereby contributing indirectly to increased operating risk.

Other lessons from HROs
Other lessons from HROs include the strong support and reward for reporting of errors based on recognition that the value of remaining fully informed and aware far outweighs whatever satisfaction might be gained from identifying and punishing an individual.

The Icarus Paradox
Many experiments have shown that people who succeed on tasks are less able to change their approaches even after circumstances change (the hammer and the nail syndrome). W.H. Starbuck and F.J. Milliken, in their analysis of the Challenger space shuttle disaster, said: "Success breeds confidence and fantasy. When an organization succeeds, its managers usually attribute success to themselves or at least to their organization, rather than to luck. The organization's members grow more confident of their own abilities, of their manager's skills, and of their organization's existing programs and procedures. They trust the procedures to keep them apprised of developing problems, in the belief that these procedures focus on the most important events and ignore the least significant ones." 

This level of complacency is a breeding ground for inadequate or ineffective organizational risk management and needs to be fully considered when reviewing the internal context and the risk management context.

Julian Talbot is an risk management consultant and lead author of the Security Risk Management Body of Knowledge. He is a Director of SARMA, Fellow of the Risk Management Institution of Australasia and Research Associate with the Australian Homeland Security Research Centre. This article is excerpted from his upcoming book Snapshot Guide to ISO 31000:2009 Risk Management! which is due for publication later this year. For more sneak previews and risk management tips, go to http://31000risk.blogspot.com/.

---

Work Cited:

Rochlin, Gene (1996) "Defining 'High Reliability' Organizations in Practice: A Taxonomic Prologue," p. 15 in Roberts, Karlene, New Challenges to Understanding Organizations, Macmillan Publishing Company, New York, USA.

Weick, Karl & Sutcliffe, Kathleen (2001), Managing the Unexpected: Assuring High Performance in an Age of Complexity, Jossey-Bass, New York, USA. 

Starbuck, W.H. and Milliken, F.J. (1988) "Challenger: Fine-tuning the odds until something breaks", Journal of Management Studies, Vol. 25, 319-340, New York, USA.

Key Reports


Harvard/IUSCS: U.S.-Russian Joint Threat Assessment on Nuclear Terrorism


A joint report by Harvard's Belfer Center and Russia's Institute for U.S. and Canadian Studies finds that, "although the international community has recognized the dangers of nuclear terrorism, it has yet to develop a comprehensive strategy to lower the risks of nuclear terrorism."

Get the report

INSA: Smart Change


A new report by the Intelligence and National Security Alliance looks ahead to a period of reduced budgets and "reviews lessons learned in the 1990s with the intent of formulating recommendations to help avoid repeating the mistakes made in that period of fiscal constraint."

Get the report

California Division of Fairs and Expositions


A new report examines whether the state's fairgrounds, which are typically used as staging areas for fighting forest fires and other disasters, could also be used to take in human and farm evacuees if necessary.

Get the report