security.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Security Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com

12 behaviors for creating a healthy risk culture

 ITworld.com Voices 5/6/05

Bruce Taylor recently spoke with Dr. Robert Charette, a Fellow of the Cutter Consortium and Director of its Enterprise Risk Management and Governance practice on the topic of Risk Management. Here, Dr. Charette outlines 12 key organizational behaviors that can help IT leaders create and manage a risk culture in their organizations. Following is an edited transcript of that conversation. You may also listen to the original interview here.

On this topic
Most organizations fail to manage risks associated with sharing data with third parties
Five Security Mistakes to Avoid
Comparing Approaches for Desktop Software Lockdown
Identity Theft Primer
Software Security: Building Security In
Get practical tips, IT news, how-tos, and the best in tech humor.

Hi, I'm Bruce Taylor and this is Voices on ITworld. Our guest today is Dr. Robert Charette a Fellow of the Cutter Consortium and Director of its Enterprise Risk Management and Governance practice. Bob serves as a Senior Risk Advisor to Global 100 corporate senior management, with a particular focus in the area of information and network communication systems. Dr. Charette also acts as Chief Risk Consultant to financial organizations for mergers and acquisitions. Bob, welcome.

Bob Charette: Thank you.

Bruce: The Cutter Consortium recently published a paper of yours entitled The Risk Cultural Revolution and in it you led off with a brief analysis of the National Aeronautics and Space Administration's efforts at cultural change around the issue of safety following the Columbia shuttle tragedy. Can you tell us a bit about your observations regarding NASA and its safety and risk culture?

Bob: Well, I think that NASA has -- as everyone knows who has been reading the press that NASA has embarked on trying to change its culture after the Columbia accident. It's actually a continuation of cultural change that goes back all the way to the Challenger accident in 1986. And it's fascinating to me because it shows the difficulty in actually making cultural change within an organization. One of the things that everyone talks about in trying to basically position an organization or company to manage its future is that it has to change its culture. That's one of the basic premises of organizational change. But it's extremely difficult to do so. I think that NASA is a kind of a test case or a prime experiment that people can take a look at and see what you have to do and the difficulties that are involved. NASA is a very large organization. It has 19,000 plus employees. It's spread across the country in different organizational silos in a way. Each one of these centers that NASA has, has a particular mission and particular objective. And it resembles, even though it's a government organization, it resembles a lot of corporate organizations in its structure and its difficulties. I think that if you take a look, right now there is the debate that's raging internally as well as externally, in terms of what it really requires to make NASA different than what it acted like before. And they're having some difficulties in doing it.

Bruce: And we now have a new chief at NASA in Mike Griffin, a thorough-going scientist and engineer. What do you see his leadership bringing to the agency today around this cultural change that may be beneficial?

Bob: Well, I think that for NASA the previous two administrators were more the politically-oriented than engineering-oriented. I think that NASA in getting this particular administrator is going more toward its roots, trying to focus on the engineering aspect of NASA and I think it has created a breath of fresh air within the organization because now decisions will be made as much on engineering requirements as it does on political or financial requirements. I think that NASA, again, even going back to the origination of the shuttle, was driven as much by politics as it was by engineering decisions and I think that they have reaped a lot of bad karma in a sense from going down that path. And I think the new administrator is going to get them back into an organizational culture of excellence and organizational change has to come as much from the top as it does from the bottom. So I think the new administrator with his deep knowledge of NASA and his deep knowledge of engineering -- and being politically savvy as well, I believe, is going to make that change. And given that the Senate gave him overwhelming support in approving his nomination as administrator, I think he has a period of time to make some changes there that otherwise would be extremely difficult to make if they had kept their previous administrator, Sean O'Keefe.

Bruce: Bob, earlier in the conversation we were talking about cultural change. What, in your mind, is a good workable definition for what we mean for corporate culture?

Bob: The one I always go to is the one that's kind of classic by Edgar Schein in his book Organizational Culture and Leadership which is really this idea that there's a pattern of shared basic assumptions that the group learned as it solved its problems of external adaptation and internal integration that's worked well and has been taught to new members of the group and it defines what's the correct way to perceive or to think or to feel in relationship to the problems that the organization faces. That's kind of the academic definition. Mine is that basically culture describes what everyone within the organization believes is acceptable behavior, especially when they're faced with non-routine situations. It's this non-routine situation which is always the test of a culture. It's the test that NASA didn't pass very well in Challenger and didn't pass very well in terms of Columbia. When you're faced with a problem that you've never really had to encounter before, when that happens, that's when everybody really kind of surfaces what ingrained thinking there is. I also think that culture defines the bonds that connect all the individual members to the organization itself. It's what the individual members of an organization identify or associate themselves with. And I think it gives that shape and meaning to what motivates the organization. In NASA there's always been a complaint in the shuttle organization that they had to launch -- the necessity to launch has been a driving motivational factor. And I think that occurs not only in organizations like NASA, but it occurs in other organizations.

Bruce: When you talk about shared assumptions, the pattern of shared assumptions, the behaviors, would that be what most of us would say are the values of the enterprise?

Bob: Well, it's a combination of things, I think. There's an idea of what's valued. That's very important. You'd almost turn it around in one sense. I think it's easier to say what's not valued within the organization. It's the non-value of things that I think often drive organizations to do the things that they do. More so than just the things that they do value. - When you're talking about shared assumptions it's how people have learned to make decisions and what type of information they regard as necessary and which ones they regard as not. As well as kind of the assumptions in terms of what's the incentives? What is the thing that will get you promoted? What is the incentive that's going to make you a winner within the eyes of your colleagues.

Bruce: So you outline in your paper, 12 key organizational behaviors or indicators that leaders can use to create an effective enterprise for its management culture. So what I'd like to do, is to step through those and if you could, briefly cite an example in each of these cases and it would be lovely if you could bring them back to NASA because that gives us kind of a metaphor for this conversation that's interesting. And the first one is a questioning of assumptions. So you've got the Schein statement about shared assumptions. Is the counter-value here the questioning of assumptions?

Bob: Yeah, I think so. And it's not only just the question of the assumptions. The assumptions can include not only how you view the world, but the constraints that are imposed on the organization and I think that questioning the assumptions, questioning the constraints are things that are very key. Within a lot of organizations, we've seen this -- I hate getting a little off topic, but if you take a look at the debate that's happening within the intelligence community for Iraq and weapons of mass destruction, for instance. Part of the debate is, what were the going-in assumptions by the various parties and how do you question those things? The same thing happened in NASA when it really wasn't until after they tested shooting foam against pieces of the wing that they actually understood that small pieces of foam could tear very large holes into the shuttle. Before that point, before they actually did the test, the assumption was is that there was really no way that foam -- unless it was a huge piece -- was going to do any damage to the shuttle. And so questioning the assumptions is something that is extremely, extremely difficult, but it's also one of those key behaviors that allow an organization to really understand whether or not it's going on the right path and it's also a way of being able to say that, yeah, I'm going to start managing risk more effectively because if I don't question my assumptions, then I'm leaving myself open to things. Because one of the key maxims of risk management is that assumptions made are risks that you have accepted.

It's very, very difficult for people -- if you ask them, what assumptions do you have in your business decisions? They will kind of scratch their head for a while and I think if you ask them the second question of saying, well, what constraints do you have? Well, they may go and say things that are little bit out of their control, but they have a very difficult time looking at the assumptions or even realizing that every time you make an assumption, that you've taken a risk in the sense that you're not questioning it. You're going to just accept whether or not that assumption is correct or not. And again, if you take a look at Challenger accident, you take a look at the Columbia accident, you take a look at almost any major disaster, whether or not it be a bridge falling down, a dam breaking or airplane crashing -- if you unravel it you'll see that in a large number of cases, the assumption set was violated and people didn't realize that their assumptions or the constraints were violated. And accidents happen that way.

Bruce: So your second behavior is asking for risks. And what do you mean by that?

Bob: Well, this is really a key point. We have a saying in risk management that if you don't ask you don't get. If managers aren't asking for the risks and asking for what can go wrong, that information isn't going to be passed on very much. Most information as it moves from a bottom part of the organization to a top part of the organization, bad news tends to get filtered out. And it takes a lot of effort on management's part to really say, listen, I want to know what is going to go wrong and again, the behavior has to be that once you ask for it, you can't bite somebody's head off if they give it to you. And so asking for risk -- making that part of the organizational culture is very critical for managing risk and also for managing change because change creates risk and if you're not asking for those risks, then you're not aware of what changes are going to be occurring in your environment and within your organization.

Bruce: And when you talk about asking for risk, you mean you're asking staff at all levels, line people to, in fact, raise the issues and that management has a hearing for those?

Bob: Yes, and it's key that there's a proactive asking for because it's very easy to get into a mode that it appears that when people -- especially if you're a manager -- what it sounds like, if you're not really in tune with it, it sounds like whining all the time. And there's the old management saying, don't bring me problems, bring me solutions. We don't have risks, we have challenges. All the euphemisms that we use. But a really good organization is one that says, okay, tell me what might go wrong here. Let's see whether or not -- again, is part of the reason that things are going to go wrong is because it violates our assumptions or it violates our constraints or is there something really here? But risks are given a hearing and action is not taken against people who bring these issues up. Again, one of the problems during the Columbia disaster wasthere was a large number of people who were within the NASA organization who were saying, you know, we think that this might be a problem, but management seemed not to really want to know. And, in fact, what's even worse is that even if management did want to know, is that the line staff felt that management didn't want to know. And so you end up with exactly the same result. So unless management is very active in asking for risk, they're not going to hear them.

Bruce: And Bob, then we come to what you call your third law of risk management and it's called the willingness to reverse decisions. So give us a case example.

Bob: Well, let me explain what it means first, is that a willingness to reverse decisions is an important aspect of doing any type of risk management. I kind of view it as, if you're not willing to reverse decisions, you can't manage risk. Because what you've done is you've basically expended all your effort into making a decision and from that point, by golly, you're going to keep at that decision until you're absolutely proved wrong. I think that one of the things that organizations, especially the higher managers in organizations, have to be able to do is admit that sometimes decisions are incorrect, that things go off the rails, that environment changes or whatever and that the quicker you can reverse a decision, the quicker that you can manage the risk. I think that in NASA's case, the ability to look and say -- I think they're exemplifying this more now than they did before -- was a willingness to say, well, we're not ready to launch and even though you have the date and even though every week that passes by costs you millions of dollars in delay, is that you're willing to say, well, that was a date, but it was only a date. It wasn't something that was hard and concrete and something that we have to be driven by. I think organizations way too often make decisions -- there's so much effort that's required to get something moved along, that people are just loath to change it. And therefore, unless you're willing to reverse a decision, unless you're willing to say, well, either we've got to go do something different -- you kind of just follow the lemmings off the cliff.

Bruce: And here's a case where kind of the corporate hubris plays in favor ignoring the risk and moving forward with a play because it's embarrassing to stop.

Bob: Yeah, because people do spend a lot of kind of -- what I call the political silver bullets to get a decision made. Think about any major corporate decision on say any type of IT project, something that's going to really change the organization and is going to have a major impact. There's so much time and effort and so many people's political careers or egos are involved that when something starts to go wrong, people will wait until it becomes disaster just because nobody wants to stand up and say, well, maybe this wasn't the correct decision. There's many companies -- Intel is one that comes to mind that tries to work very hard at not looking at decisions as either being right or wrong. They try to look at them being correct or incorrect. There's a maxim within Intel that normally they need to reverse decisions very quickly to stay on top of the market and, in fact, Andy Grove used to talk about whenever he had to change a decision, his greatest regret was that it always took them longer than he should have on retrospect.

Bruce: And then the willingness to speak out.

Bob: Well, this is one that I think almost everybody who has been in business for any length of time knows about. A good organization risk culture is one where people aren't intimidated to speak out. In fact, this is the controversy that's really going on right now within NASA where a number of people talk to the reporters at The New York Times and basically accused NASA management of kind of changing the goal posts in terms of what the risks were in terms of the shuttle so that it could launch. Whether or not that's true or not is in some ways it's irrelevant, but what it shows is that there is still a strong feeling by some within NASA that if they speak out that they're going to be punished. Even in the Sarbanes-Oxley law there's a section in there to protect whistleblowers from retribution. So this is one of the strongest indicators of whether or not your culture is really changing. Can you speak out freely? And it goes hand in hand with management asking for risk. If management asks for risks, then people will be more likely to speak out than not.

Bruce: And I love how you phrase it and that manager's are required to continue to listen, even in the face of repeated false alarms.

Bob: Yeah, that's really important because one of the paradoxes about risk is that risks are events that might happen. At the same time, they might not. And the fact that something doesn't happen doesn't mean that the risk wasn't there. It just means that for that particular situation that harmful event didn't come to be. So it takes a lot of fortitude on the part of management to, again, listen to people speaking up and maybe incorrect for that particular instance, but it's still willing to not only ask for the risk but listen to the people speaking up when they think that there's something maybe going wrong.

Bruce: So now we're at point five, learning from mistakes.

Bob: Yeah, this is always one that again is almost like motherhood and apple pie, but it's extremely important. In high reliability organizations there's always this big issue in terms of making sure that you learn from your mistakes, that you don't want to be repeating mistakes. In fact, what you'd like to do is have errors be random, that they're not systemic within the organization. But it's very difficult for organizations to really learn. Peter Sengay's The Learning Organization, everything else that he wrote about -- I think everybody accepts -- but it's very difficult for an organization to actually learn from what's happened. We did a study at Cutter a few years ago on risk management practice and we asked a question about, do you do post mortems of your projects and somewhere in the neighborhood of around 40% of the organizations that we asked said that they did. And then we followed up with another question that asked, well, does anybody use it? And only 8% of the people said that they used them. And so information just does not get passed on and so organizations, again, repeatedly make the same mistakes over and over again. I call it the d�j� vu to the 'nth power problem. Most organizations make the same mistakes, but what they do is they make them in kind of unique combinations and, again, if they had bothered to really learn, truly learn, why certain mistakes keep occurring, they would get a lot further ahead. And again, part of that goes back to the very first thing we talked about in terms of questioning assumptions. A lot of times people because they haven't questioned the assumptions, the policies, the approaches, the culture itself all contribute to forcing people to do the same things over and over and over again. And again, clearly within NASA, they did not learn from Challenger. Or they didn't learn enough from Challenger to prevent something like Columbia happened.

Bruce: I expect part of the problem on learning from mistakes is that most cultures don't reward people -- there is not a value for mistake making.

Bob: I think that's very true. I try to make a distinction -- for instance, one of my hobby horses or little soap boxes is that in the IT community we talk about IT project failure. Well, most of these things aren't real failures, most of them are blunders and we keep blundering because we don't do the things that we need to do because we don't learn and because there's no real penalties for not learning other than the company going under. You're absolutely right, there's no value given to learning. We also tend to discount failure, information from true failures, because that information tends to be seen as tainted. I think it's human nature to say, well, if I was doing that I would have done it differently and I wouldn't have had that problem. But we don't value things that go wrong, yet progress -- engineering progress, societal progress, everything is based on failure. And that's kind of the paradox that we run into.

Bruce: And of course, in that case it's learning how to actually distinguish what the failure is, what it really is and what it is not.

Bob: Yeah, and to do that is that you need to have processes, you need to have good understanding, processes that are visible, measurable, repeatable, things that you can take a look at and say, oh, I can understand why something went wrong. And again, that's something that organizations just struggle with all the time.

Bruce: So we're at point six which is constantly challenging the management of risk process.

Bob: Yeah, I think this, again, is one of those interesting ones that people kind of intuitively know, but they don't bring out as something that's very specific and articulate very well. I think that when you really take a look, management of risk is what organizations do. This is especially what management does. And again, we tend to have management of risk processes or if we want to say risk management processes, they tend to be very ad hoc. What we don't do is that we don't take a look at how risk as a whole is managed across the corporation. Risk management today in most organizations where it is done is managed in silos. There's very little sharing of information. There's very little real sense of we need to manage risk because that's what we do for our customers. If you take a look at any company that produces a product, well, the only reason that a customer buys anyone's product is because you lower that person's risk. You lower your customer's risk. If they could do it themselves, they wouldn't bother buying your product. And so one of the things that you always have to do is you have to ask yourself how am I going to manage risk better? What are the things that we need to do? And it's kind of not only the strategic things that you want to do as an organization, but it's also just kind of the day-to-day things that you want to do in terms of saying, is this really what is going to make us successful today? It's one of those things that you don't want -- how well you manage risk today is not going to be good enough for tomorrow. That's in a nutshell. The environment is going to be changing, the risks you face are going to be changing and so even as a successful company, then you really need to constantly ask yourself, are we doing everything we can to manage the risks that we have?

Bruce: You talk about, next, the idea that risk management be used to assess risks, not to justify opportunities. So give me an example of how risk management has been used to justify an opportunity.

Bob: Wow, well, we can just go right back to NASA on that in terms of there's always been -- there's this idea within NASA called launch fever where you really need to focus in on the launch and everything is subsumed to accomplishing that goal. You see it in IT projects constantly where meeting that cost, meeting that schedule is the thing that becomes the most important thing. I think that if you take a look at almost any major corporate goal that is viewed as the next big revenue generator is that everything is aimed at supporting the opportunity. So what you do is you look at the risks and you say, well, the risks really aren't that bad because we're going to have all these great techniques and great procedures for overcoming it. And you get into this fever mode so risks aren't there to keep you from doing -- they're not viewed as something to keep you from doing anything. They're really there to help justify that the opportunity is where you want to go. I've seen it get to the point where we almost get into this mode of the Chinese proverb that where there is risk there is opportunity. What people don't understand is that the real translation of that is, where there's risk there better be opportunity. And that's an important, if subtle difference and I think that people, again, they'll use risk management to lower the risks that they may encounter or just subsume them as everything is to push opportunity forward.

Bruce: And your eighth point is around having quantitative measures for the management of risk.

Bob: Well, I think quantitative assessments, whenever they're feasible are the best that you can use in terms of gaining insight and the whole idea that if you can't measure something it's pretty hard to really understand it. And so what you want to be able to do is try wherever you can to have definitions of the likelihood of an event occurring, what's the potential consequences if it does occur? What's the timing? What are the things that you value? What are the thresholds, the levels of acceptability? All these different things in terms of numbers so that you can compare different situations, different risks against one another. And I think that that's an important issue even though in many cases it's extremely hard.

Bruce: So that really leads into your point nine and my sense of this is that the numbers, that the data, really lead you to being able to ask the right questions.

Bob: Yeah, the numbers give you that insight, but at the same time, numbers aren't everything. There's classic examples in terms of -- for instance, I could give you a scenario where given N number of people get sick and make the risk exposure X and then from the number of days lost equals the death of two children from a mathematical standpoint. And you could come up with an equivalence relationship with saying, well, because 100,000 people get sick and lose N number of days of work, that equates to the loss of 2 children's lives. And even though that sounds cold, if you were to look at it from a pure number's standpoint, you could come up with an equivalence relationship. And so part of the thing is to always remind yourself that there's a lot more to it than just numbers, that you need to worry about ethics, you need to worry about morals, you need to worry about all these other soft issues that in many cases you don't worry about. For instance, in the conversation we had earlier, we had talked about -- I could come up with a scenario that in kind of the worst case quantitative assessment approach that a shuttle was going to blow up on average once every 25 to 30 times that it's launched. Well, the shuttle is going to be retired in the year 2010 and given the number of shuttle missions, I could, from a quantitative standpoint, say well, let's just -- we don't need to put anymore money into making them better, let's just launch them because over the next five years we're probably not going to have 75 launches. And I could take the attitude that use 'em or lose 'em. But that discounts the fact that we may lose 10, 15, 20 astronauts. I can take a hard financial look, or I can say, well, gee, I need to worry about all these other things where I can't really put numbers on.

Bruce: And then of course, that leads directly into management being able to say no.

Bob: Yeah, and I think that's hard. That's just very, very hard. We saw that management wasn't able to say no in Challenger. We saw management not really willing to listen to the fact that maybe there was a problem on Columbia. You see it on IT projects all the time. You see it on service offerings. If you can't say no, then you can't manage risk. It's not -- it just isn't possible. And there's been study after study on IT projects that have shown that projects tend to double in cost as well as in schedule before anybody gets up the guts to say, well, maybe we shouldn't be going down this path anymore. And if you can't say no, then what you're doing is you're stealing your future. You're spending resources that could be used to pursue other things and it's a real endemic problem that it's just something that I don't understand. To be honest, I don't understand why we can't say no. I think, again, it goes back to that point that we talked about earlier, not being able to reverse decisions. People's egos are so much settled into this that there just isn't a willingness to cut the cord on projects or on anything that people have made an investment in time and energy on.

Bruce: And your eleventh principle -- and this is one that I find really very interesting. We live in a culture of blame and not responsibility, meaning that in our political conversations, in the way we manage organizations we have kind of a systemic view that blame must be assessed, and at the same time we resist personally and institutionally accepting responsibility. And we have the two confused.

Bob: Yeah, in one sense you need to understand why things go wrong. You can't make progress without understanding why something went off the rail. But in so doing, if it becomes a blame exercise, then you'll never find out because people will never tell you the truth. It's a fine line because there are certain things that we have as legal responsibilities and in today's society, especially one that tends to drag everyone into court for the minor-est of issues, risk analysis and risk assessment and risk management as a whole can turn in very quickly into blame analysis, because it is going to look like second guessing all the time. But I think really healthy, mature organizations look at the acceptance of responsibility both personally and collectively as the price you pay for progress and that you stand up, you say I'm the one who made the decision. We made the decision the best way we could and you move forward. I think if you have a strong risk management culture, one which really is looking and trying to understand the risks, it actually makes it easier to have this personal, collective acceptance of responsibility because everybody has taken part in that decision. So to give you an example, one of the organizations that I used to work with it had a rule basically that didn't require risk assessments on their projects. It wasn't a corporate requirement. However, if you were the program manager of one of the projects and you did not do risk assessment, then there was a level of blame that was assessed because you took it upon yourself without seeking out all the different advice. Whereas a program manager who did risk assessments, brought the risks up, everybody agreed what they were, if a risk happened, well, okay, we accept that. And so I think there's this fine line between responsibility and blame, but I think that good organizations understand that certain things are going to fail and you have to accept it. I think where you can't accept failure -- it goes back to what I said before in terms of blunders where you didn't do the things that you really should have done. I think at that point then there is a level of blame that needs to be assessed. But I think if you've done everything you can, and things still don't work, well, that's life.

Bruce: And your twelfth point which I love, I love the notion of learning from the future.

Bob: Yeah, this is an idea that I've thought about for a long time. Learning from the future is really understanding that you're doing risk assessment, you're creating a risk management culture to try to create the future. You want to take risks because risk is really your only currency of trade. Risk is this whole notion that you're taking risks on behalf of your customer. Again, if you're building a new product, you're taking that risk. You're investing your money. You're trying to create a future that you're trying to sell these customers. And so profit is your payment for successfully undertaking those risks. I think that unless you understand it that managing risk is about stepping into the unknown and that you have this level that occasionally failures are going to happen and that's just the price you're going to pay, then you're always going to let other people shape the future for you. And part of this idea of learning from the future is this -- again, it goes back almost to the one that we talked about before in terms of collective acceptance of responsibility is that you're going to predict what's going on. And when you try to pursue an opportunity, when you're trying to create the future, then what you're doing is that you're predicting and you're saying, okay, this is what I think where we should go. This is where I think that the future lies and you get to test how good you are. You get to test whether or not your prediction was correct or not. And then, by having that prediction then you learn from your mistakes, you're able to understand were your assumptions correct? Were your constraints wrong? Were your ideas just premature? But this whole idea I think of risk management, what fascinates me so much about it is that it really is about creating futures. Risk is not really about the past. It's about creating the future from the decisions and the actions, the commitments you make today. And so to me this is really the heart and soul of what we want to do as a really mature risk management organization. Those organizations are just tremendously dynamic.

Bruce: So can you -- and to put you on the spot just a bit -- can you cite an example of a large corporate enterprise that embodies that learning from the future?

Bob: Well, I think there's a couple. I mentioned Intel before. If you take a look at their history, they're an organization that has moved very hard to shape the future in the IT community. Another company that I work with and have worked with for almost 15 years is Rockwell Collins out at Cedar Rapids. They're an electronics and communications company working both government and commercial, working in the aviation industry for the large part as well as in radio and other communication systems. And here's a company that is trying to constantly shape the future by managing risks very proactively. Now what's interesting about Rockwell Collins is that if you go back about 15 years ago, they would not -- although they were seen as an innovative company -- they weren't one that you would look at and say, well, they manage risk extremely well. They may have managed their technical risk, but they weren't seen as managing risks in a holistic fashion, meaning both their management risks, their technical risks, their financial risks, etc. And what they did is they embarked on changing their culture from one that was admittedly risk-adverse and to one that is today considered, in my terminology, risk-entrepreneurial. One that deliberately looks at how do you change risk from something that is a loss situation to something that's actually a profitable situation? And they're a company that we've written about some in Cutter, but I think that if you take a look, here's a company that got hit when 9/11 occurred, they lost a large portion of their revenue because they were selling products to the airlines, the airlines were shut down. Somewhere in the neighborhood of 15 to 20% of their revenue was gone in basically three days. Now what they were able to do is that they -- because of their ability to manage risk -- they had a get-well plan in place within two weeks. They were looking at how they were going to position themselves into the future and now, you take a look at them, here it is a little bit less than four years later and they're a healthy, strong, growing company, one that by every means -- financial, technical, managerial -- is entrepreneurial in nature. And they're a real interesting company to take a look at. They have dynamic management, which is willing to learn from its mistakes. It asks for risks. It meets almost, I would say, all of these criteria that we've talked about and, again, is working very hard at learning from the future.

Bruce: Bob Charette, this has been insightful and fun. Thanks so much for joining us.

Bob: Well, thank you, Bruce, and I hope we can do this again sometime.

RESOURCES

Read more about Dr. Robert Charette


Sponsored Links

Closing the Gap Between Patient and Caregiver
Optical network solutions from AT&T provide scalable, secure bandwidth to keep the health care provider and the patient connected, despite increasing network traffic.
FREE Sophos Threat Detection Test
Scan for viruses, spyware & adware. Is your AV catching everything?
Web Penetration & App Testing
Web Penetration Security Services. 300+ Clients. Free, Quick Quotes!
See how EASY REMOTE SUPPORT can be. Try WebEx FREE!
DELIVER SUPPORT MORE EFFICIENTLY. Remotely Control Applications. Leap Securely through Firewalls!
SOLVE SUPPORT ISSUES on the First Call!
REMOTELY CONTROL AND CONFIGURE SYSTEMS. Easily install applications, updates. All from your Desktop!
» Buy a link now

Advertisements
Sponsored links
Locate Hidden Software on business PCs with this free tool
KODAK i1400 Series Scanners stand up to the challenge
Top 5 Reasons to Combine App Performance and Security
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Home  Policy and standards Best practices
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.