Lootok

Menu

What's new?

Join Lootok in Philly for RIMS 2017!

As you are making plans for the RIMS 2017 Conference in Philadelphia, make sure you don’t miss Lootok’s Sean Murphy and Jeremy Stynes speaking on Monday, April 24th. They will be exploring the psychology of risk, sharing innovative ways to market your program, and breaking down traditional myths of Business Continuity Management. All in our signature, non-conventional Lootok way. We hope you come and join us!

RIMS 2017: April 23-26th, 2017 | the Pennsylvania Convention Center | Philadelphia

Lootok Sessions on Monday, April 24 :
12:00 – 12:25 pm | Market Your Program Like a Product | Jeremy Stynes, President
1:00 – 1:25 pm | Five Myths of Operational Risk and Business Continuity Management | Sean Murphy, CEO
3:00 – 4:00 pm | Risk Shrink: Exploring the Psychology of Risk | Sean Murphy, CEO, Lootok; Hester Shaw, Internal Control Framework Director, GSK

Lootok Rims 2017 Philadelphia cheesesteak
Join Lootok for some juicy sessions on Business Continuity!

 

Read Post

How do you create situation awareness—Fresh perspectives with Mica Endsley

I had the privilege of sitting down with Mica Endsley —author of Designing for Situation Awareness: An Approach to User-Centered Design. Mica is the president of SA Technologies. Previously she was the Chief Scientist for U.S. Air Force.

Mica shares with us lessons learned from her book—Designing for Situation Awareness. I asked her nine (9) questions to solicit her thoughts on situation awareness, technology, and mental models.

Mica Endsley
Mica Endsley

Read Post

What is the best way to tell stories as means to communicate - Cliff Atkinson on Fresh Perspective

 

Read Post

How would a physicist approach risk management - Mark Buchanan on Fresh Perspective

 

Read Post

How to use Scenario Planning in Risk Management - Thomas Chermack on Fresh Perspective

 

Read Post

Can a crisis make you a celebrity?

Picture of man speaking to the press
Ready or not.  Say, “Cheese!”

While artists, athletes, and performers struggle to make their mark in the public eye with a memorable act or viral moment, a different type of celebrity has been emerging on the scene - the spokesperson for a crisis.

Here’s a quick exercise to highlight the point:

Jeffrey Boyd, Lew Frankfort, and Stephen Hemsley. Do these names sound familiar?
If not, don’t feel bad. They are the CEO’s of Priceline.com, Coach, and UnitedHealth Group, respectively.

Now, how about the names Tim Cook and James Comey?
We can immediately recall them as the CEO of Apple and the FBI Director, respectively, feuding over a locked iPhone involving a federal investigation of the San Bernardino shooting.

The media diligently covered Cook and Comey’s debate for more than three months. During that time, both men emerged as stars in a cast of characters ranging from lawyers, judges, politicians, and even presidential candidates. The media and public tuned in to hear their perspectives on data privacy, security, technology, civil rights, and terrorism.

Read Post

Should global organizations have a global security operations center (GSOC)?

“How did you go bankrupt?”
“Two ways. Gradually, then suddenly.”

- Ernest Hemingway, The Sun Also Rises

I was working with a head of risk management—the chief risk officer—at a global organization that does not have a GSOC. One night over dinner, I asked him why his organization didn’t have one, and suggested he spearhead the initiative. His response? “I’m not convinced we need one. The organization has always operated without a GSOC, so why start now?” He also said, “The reality is, we’re already doing it here and there. The system works fine. Let people do their thing.” Something that seemed so obvious to me and so unnecessary to him left me on the defensive and him on offense.

The reality is, if you’re a global organization, you need a GSOC—or some version of it. If you don’t have one, you will need to communicate the severity of the situation and get one. Allow me to illustrate the need for such capabilities so you can justify the business case to your leadership and board…

GSOC

Read Post

Part V | Perception: we can control everything vs. Reality: we can only influence

Perception:

We Can Control Everything

Reality:

We Can Only Influence

We tend to believe the more control we have over something, the better. And why wouldn’t we? Control gives us predictability. It’s efficient. It stabilizes. It makes our lives easier and heck of a lot less stressful.

Isometric grey image

Read Post

Part IV | Perception: the risk manager’s job is to manage risk vs. Reality: to run a company

Perception:

The Risk Manager’s Job is to Manage Risk

Reality:

The Risk Managers Job is to Run a Company

If I had better foresight, maybe I could have improved things a little bit. But frankly, if I had perfect foresight, I would never have taken this job in the first place.
- Richard F. Syron

Isometric grey image

 

Read Post

Part III | Perception: it’s a paint-by-numbers vs. Reality: you paint it like pollock

Perception:

It’s a paint-by-numbers

Reality:

You paint it like Pollock

Before we do anything in our risk management planning, we need to make sure we understand the environments we work in. Everything we do should accommodate the attributes and characteristics of our environments.

Isometric grey image

Read Post

Part II | Perception: it’s like building a house vs. Reality: it’s like running a farm

Perception:

It’s like building a house

Reality:

It’s like running a farm

There are certain building blocks to any program, but how we approach risk management planning will inform our results from the start. Keeping an eye towards sustainability is key.

Isometric grey image

Read Post

5 fresh perspectives: seeing the world differently

Why do we even need a fresh perspective on BCM?

As we grow and learn from our experiences, observations, and interactions with other people, we form frameworks that help us understand the world around us and give us cues as to how to respond or behave. These frameworks give us our own personal blueprint as to how and why things work.

For example, most people have automatically come to understand that when your phone rings, you answer it and say, “Hello?” When someone sneezes, it’s likely you’ll hear someone else say, “Bless you.” If you want to make an omelet, you need to break a few eggs. Et cetera.

The problem is, frameworks are built on individual experience. And sometimes we get it wrong. And when we get it wrong, we’re presented with challenges that are extremely difficult for us to understand and negotiate.

This is the first in a series of e-books that examines the typical ways we’ve found people think about risk management. A fresh perspective is important, as many of the frameworks we’ve built around the process—as well as the product—tend towards the negative. Our goal is to identify how and why we’ve developed these frameworks so we can do something about them.

Isometric grey image

Read Post

Fresh perspectives: biggest challenge in risk management – metrics

What’s the biggest challenge in risk management? If you ask risk analysis expert Yossi Sheffi, it’s the lack of an industry metric. For example, when you choose a supplier, how can you quantify how risky your choice is? When it comes to metrics, Sheffi says, risk still remains an area where gut feelings and opinions play a major role. And the biggest challenge for risk managers? Defuse the responsibility for managing risk throughout the whole company.

Read Post

Fresh perspectives: resiliency strategies

Risk analysis expert Yossi Sheffi discusses two fundamental resiliency strategies that organizations can use to recover from an incident: redundancy and flexibility. Using the examples of Intel and Southwest Airlines, Sheffi talks about the role of redundancies, flexibility and interchangeability, and communication and culture to provide risk managers with realistic and practical approaches to consider.

Read Post

Fresh perspectives: risk matrix

Risk analysis expert Yossi Sheffi explores the capabilities and limits of the traditional risk matrix, and adds another axis called “detectability.” Detectability has to do with time dimensions, or how much time we have to prepare and react to a threat. There are some events, such as a cyberattack or theft of intellectual property, that have no warning; you realize their occurrence only after they hit you. While the standard use of the risk matrix is influenced largely by the past, adding detectability means greater opportunity to tackle impending threats.

Read Post

Fresh perspectives: insights

What happens when we’re in a crisis we haven’t seen before, and our experience is insufficient? Such a situation requires us to gain “insight,” or develop new patterns that change the way we understand things and consequently, change the actions we consider. Research psychologist Gary Klein investigated the different ways that people form insights, and the factors that prevent us from having them.

Read Post

Fresh perspectives: crisis management team

There are certain challenges that face a crisis management team in the “Golden Hour,” the moment when team members convene to make critical decisions. Research psychologist Gary Klein discusses the need for team members to size up not only the situation, but also each other’s capabilities, roles, and responsibilities at time of event. That’s why it’s key for a crisis management team to regularly practice and train together.

Read Post

Fresh perspectives: uncertainty metaphors

How do most organizations handle uncertainty? They gather more information. Research psychologist Gary Klein explains why this isn’t always the best course of action. After all, it’s easy to gather information and sit on it; it’s harder to know how to make sense of events, and make a coherent story based on the data we have.

Read Post

Debunking myth #4: It gets cheaper and easier

Keeping a BCM program alive doesn’t get cheaper or easier over time. In this eBook, we’ll talk about why.

Download It gets cheaper and easier, the fourth myth in Lootok’s series on the five myths of business continuity management (BCM)!

It gets cheaper and easier
Myth #4: It gets cheaper and easier

See Myth #1: The plan is the promised land.
See Myth #2: You need a business impact analysis (BIA).
See Myth #3: The risk matrix measures risk.
See Myth #5: Best-in-class BCM software exists.

Read Post

Fresh perspectives: recognition-primed decision model

How can leaders make good decisions under the extreme time constraints of a crisis? To find out, research psychologist Gary Klein studied fire fighters to understand their approach to making crucial, complex decisions so quickly. The recognition-primed decision (RPD) process, as he explains, reveals how these professionals assess the situation: they compare familiar patterns and cues to past experiences to know which actions to take.

Read Post

Debunking myth #3: The risk matrix measures risk

The risk matrix is a standard tool commonly used in risk assessments. It’s straightforward to use, and easy to explain. The only trouble is, the risk matrix doesn’t actually forecast or measure risk.

When used as a quantitative tool, the risk matrix is misunderstood. Our challenge as practitioners is to recognize the limitations of the risk matrix, so we can use it in a way that increases understanding of the threats around us. In this eBook, we explore how.

Download The risk matrix measures risk, the third myth in Lootok’s series on the five myths of business continuity management (BCM)!

The risk matrix measures risk
Myth #3: The risk matrix measures risk

See Myth #1: The plan is the promised land.
See Myth #2: You need a business impact analysis (BIA).
See Myth #4: It gets cheaper and easier.
See Myth #5: Best-in-class BCM software exists.

Read Post

Debunking myth #2: You need a business impact analysis (BIA)

Many of us business continuity management (BCM) professionals are convinced that a business impact analysis (BIA) is a “must-have” for any company. On top of that, we often believe the more information we gather, the better. But after the enormous effort to collect mountains of data and conduct endless interviews, we end up with little value to show for it.

Doing a BIA is expected of us, but do companies actually need a BIA? I guarantee that conducting an extensive BIA project is a quick way to exhaust your resources, stall your program agenda, and taint the reputation of your program. But if you’re willing to question why you’re doing a BIA, and then facilitate the process in a practical way for participants, you can maximize your investment. This eBook explores how to do this, and why it matters.

Download You need a business impact analysis (BIA), the second myth in Lootok’s series on the five myths of business continuity management (BCM)!

You need a business impact analysis (BIA)
Myth #2: You need a business impact analysis (BIA)

See Myth #1: The plan is the promised land.
See Myth #3: The risk matrix measures risk.
See Myth #4: It gets cheaper and easier.
See Myth #5: Best-in-class BCM software exists.

Read Post

Debunking myth #1: The plan is the promised land

As BCM professionals, we’ve long believed in the myth that a plan is our key to recovery during a disruption. Often, we hyper-focus on the plan as undeniable proof that the right actions will be taken in an incident. This is the worst possible approach. Learn why in our eBook, The plan is the promised land, the first in Lootok’s series on the five myths of business continuity management (BCM)!

The plan is the promised land
Myth #1: The plan is the promised land

See Myth #2: You need a business impact analysis (BIA).
See Myth #3: The risk matrix measures risk.
See Myth #4: It gets cheaper and easier.
See Myth #5: Best-in-class BCM software exists.

Read Post

10 lessons in crisis management

When bad things happen, companies can’t afford to just react on the fly. Successful management of a crisis requires understanding how to handle an event, before it occurs. Staying competitive in the marketplace means taking a more proactive approach to crisis management. Here’s how.

A matter of hours or days is all it can take for a crisis to destroy a company’s reputation.

Read Post