Creating the foundation for Optimal Risk Decision-Making within a Complex Environment filled with Black Swans and Black Turkeys
Most organizational infrastructures span a diverse range of service portfolios delivered through a large and widely distributed technical/digital structure. The scale and distribution of modern organizations has required that they function in a federated manner, with capabilities “customized” to accommodate needs at the enterprise, and the portfolio level. Today’s infrastructures have the characteristics of a “cyber ecosystem.” A cyber ecosystem comprises a variety of diverse participants – suppliers, processes, users, and digital and technology assets – that interact for multiple purposes to achieve a common organizational goal/strategy. Within a cyber ecosystem, the impact of risk may vary between the organization (principal) and the various components (agents) of its ecosystem.
Traditional concepts of resiliency may not apply to a cyber ecosystem, and the fragility resident in the system itself may span and vary depending on the agent’s relationship to the principal. However, risk, particularly cyber risk is a human endeavor, the efficacy of security cannot be solely defined by use of automated cybersecurity tools. It is the human (risk manager) that uses the various toolsets, and data to support risk decisions (from mitigation to investments). This conference topic discusses the need understand, or at a minimum, acknowledge that there is a cognitive component to the identification, and management of cybersecurity risk; and this cognitive behavior in risk decisions may be a major determinate in the effectiveness and performance of the risk management process.
“Cognitive risk management is the multidisciplinary focus on human behavior and the factors that enhance or distract from good outcomes.” Cybersecurity and resilience within the Enterprise Risk Management (ERM) framework, require that the organization add assumptions concerning cognitive limitations designed to account for specific anomalies in risk decisions. In other words, even with the best cybersecurity toolsets and data, it is still the risk manager’s ability to remove cognitive bias, and issues related to bounded rationality to ensure that the approach to risk management is optimal. Research has demonstrated that the central characteristic of risk managers is not that they reason poorly, but that they often act intuitively. And their behavior is not guided by what they are able to compute, but by what they happen to see and comprehend at a given moment. Understanding the cognitive component of risk decisions is even more critical to managing risk within the complexity of a cyber ecosystem, requiring first, second, and third party risk management.
PhD President, OpRisk Associates, LLC
Dr. Head has worked with the Federal Government and private industry implementing enterprise risk management (ERM), and corporate performance management (CPM) programs for the assessment of large-scale information technology (IT) investments, as well as supported global companies in the areas of: strategic sourcing, supply chain management, operational risk management, governance, policy development, and IT outsourcing. She has spoken at the Federal Reserve on organizational performance, the Risk Management Association on Trends in Cybersecurity, was recognized as one of the top 50 Most Important African Americans in Technology (2010), and Black Engineer of the Year (2001). She has received national awards for combining business acumen and informational technology expertise to develop and execute strategic information technology plans aligned with corporate goals. She has experience supporting the Federal CIO agenda (Governance, EA, Information Assurance, Emerging Technologies, IT Process Improvement Disciplines (such as ITIL, COBIT, SDLC, policy, and Operations, etc.)).
As President of OpRisk Associates, LLC., Dr. Head has over sixteen years’ experience providing strategic planning, enterprise architecture analysis, and consulting services including portfolio and risk management. She has supported global companies in the areas of: strategic sourcing, supply chain management, outsourcing, and global business continuity management solutions. She has developed risk management solutions for the Federal Aviation Administration for programs impacting the operational effectiveness of airports. She has spoken at the Sandton Convention Centre, Johannesburg, South on Business Continuity, and Crisis Management, and Pandemic Planning.
Dr. Head has a Ph.D. in Strategy, and has supported organizations in Africa, Brazil, France, Germany, England, Belgium, and Canada. She has a business process Patent on “Increasing Win Probability in Large Complex Contract Competitions (Patent # 7962379).”