 Hi everybody and welcome back to the Think Tech Hawaii studio. This is another episode of Security Matters. I'm Andrew Lanning, your host. Today Ben Buchko is with me from Buchko Inc. And I want you to strap on your business risk hat. I want you to pay attention. Ben's gonna share from deep subject matter expertise on risk management, but business risk management. We've got physical risk management. We've got operational business risk. We've got cyber business risk. It's gonna talk about the programs. It's gonna talk about how you can get there. You can learn a lot today from Ben. So enjoy yourself and enjoy the shred. Ben, thanks so much for taking time to join us today. I know you're a busy guy. Absolutely, I'm really excited to be here and share and I'll try and change my normal howdy to a low loss so that folks can get a better sense. But some habits are hard to break, but we'll do the best and share some challenging thoughts as well as some background information to help folks out. Good, yeah, howdy works fine. I use that all the time. I've been here 30 something years and my howdy just comes out too, so it's all good. So let's get into, so for the audience that's not familiar with your work, why don't you just take us back into your experience and as much as you care to share kind of brings what got your passion for risk management and then how that's grown into today. Sure, sure, well, I started my career and my degrees are in electrical engineering. So went with didn't get it right the first time, went back for a second degree and then started working at Sandia National Laboratories in the nuclear weapons world. And we kind of call that the home for the over the educated. So just really bright people, a great vision for protecting the nation and with a broad spectrum of efforts. But that's really in that world is where risk assessment grew and where I learned it and the fun piece which got me excited. I started out was not in, I wasn't in the security world at all and we were designing systems for decimation. But I got pulled into a project where we were transporting specialized nuclear cargo across the country and doing it and out in the open if you knew what to look for. But the idea was I was in charge of designing all the electronic security for that system. And the cool thing as an engineer was if you can't design something as protection then you had to figure out how to break it. And then not only could you break it but what was practical? Now everyone can come up you can always come up with your absolute worst case dream scenario, aliens come from out of space and do things but what's practical? And that's where I learned and took that from the government arena into transportation logistics where we weren't doing security but we were trying to make sure that the operation supply chain in trucking was resorted. And then from there led security engineering for Exxon Mobile. So we've done risk assessments and every continent except Antarctica and that's just cause I'm not really a cold weather guy so having gotten that far south. Now it gets below 60 degrees and I'm wearing the car heart. So that's when I moved to Colorado that was a real shocker. So we've assessed and really the idea is there's a lot of security assessments out there and these are some of the stuff to visit but what was a grain for me from the start was not how do you break something and break into something or get something out? It's why do you care? What's that business reason or operations mission reason that you wanna look at risk? So it needs to go beyond just security and start looking at that full operations resilience and that's what gets me excited. How often do you think business misses the why? You know the whole shiny object thing we see it in cyber a lot where they go buy a new tool and buy another tool and buy another tool but never really train the people about phishing emails things like that. Business risk is the domain of the C-suite I would think you know it lives with the guys that understand loss what real loss could be but risk assessment could be many levels down if it's only done at the security level and the security guys may be not connected to the business position. Is that, can you give us a feel for is that a 90% of the time disconnect? Is it sector specific in your experience? You know how often is the business connected to the risk assessment that's going on? It's not near as often as it needs to be and where it can really make a difference. And so as far as a percentage in our business and when we're talking with folks at the nuts and bolts level especially in security whether it be physical security or cyber security or safety risk the experts in that area they focus on risk in their area and it's stepping away and you don't actually have to go to the CEO and the C-suite but you need to be at the folks that are the head of operations whether it be the chief operations officer the director of operations that's the arena where the glue can come together but normally the practitioners in their area of expertise that they just stick with what you're comfortable with is a common thing in nature. And that's where it makes it you're trying to battle that and say I'm the head of security but my business and my job and my position is I'm a security guy, I get paid to do security so I really need to do a good job at that instead of thinking in terms of I work for this, I work for an oil and gas company so what do I do? I turn nasty brown stuff into money. How do I do that? I do that by making sure it's protected and only the right things get in and out or I'm in the finance industry and what am I doing? My purpose is to maintain the ability to lend money and to bring in and invest money and that's not what we get trained as tacticians in school and our first positions you're usually coming in with this is the expertise you're trying to grab and it takes a maturity as well as a different point of view to say I need to think about the business and once I tie those two together you're more effective in your job and now you can actually assess business risk related to your expertise rather than hoping someone else will make that connection for you. Yeah, it's, I guess that the impactful thing to just do enough, so first of all doing their job has like impactful factors maybe they can't get to work or a system's offline or something like that so there's a, but for them I think you used a good word there, tactical and then the bigger, broader impact of that lack of asset use or whatever it might be business has to project some bit of that in its business assessment systems are gonna be, I don't know if it's like root mean was it RMS like 70.7% of the time everything works right or something I don't know if you can make money at that level or not but like the, you know is business risk across domain that these areas of operation have got to come together and assess like if there's multiple impacts at the same time in different areas that could be catastrophic but those two guys have never talked before from a business perspective so does it require a holistic sort of understanding of the entire operations in order to really be effective or do you just end up with a, you know a marginal sort of assessment that's, you know he addresses some of this stuff some of the time but you hit on a key piece and this is where when I learned how to do it we had team assessments and the challenge what you want to make sure is that your most effective assessments add different perspectives it was a multi-disciplinary team I've been on assessments where and my rule of thumb is the most effective assessments if you have a team of three people or five people or seven or in some places more but then you have to, it gets to be really a challenge to manage but you want to have less than half of the people security subject matter experts because we all have blinders, we have biases so I've been on assessments where we had a cultural anthropologist on the team we were in Africa, well we needed to learn Africa we've had folks that were they were business operation specialists and attorneys and safety guys and facility management folks and make sure that and we would still talk with everybody around but you want that perspective that says if my goal is to make sure my business is resilient what does my business do? It's got security experts it's got if it's industrial it's got safety experts, it's got finance folks you've got whatever you produce whether it be manufacturing or extraction or deployment and so you want to have folks that will not come and try and solve the problem from exactly the same way and that's how you bridge from the cyber security guys know how to protect their cyber environment and assess it really well the physical folks know how to do the same thing but the safety people and the operations people they know their realm and as long as you're willing to talk in that sometimes rather excitable and animated discussions because if I'm going to do something that really helps me for security but it reduces production output by 1% so I save $100,000 they lose a million every day the security guy's gonna lose and by understanding that you get credibility within the business leaders in the company that say yeah you're not looking out just for you you're looking out for the company and you're willing to learn and that's how that's the fundamental that's the foundation of a defendable risk assessment that looks at the operations risk and the mission of the organization with because if you're not supporting the mission why are you even there? I see so sometimes the cost that someone thinks they have if they don't have visibility on the broader operation they can miss the boat completely I get that breadth of I guess organizational risk assessment needs to get done when we're gonna take a break here but when we get back we're gonna, I wanna talk about how much of industry is doing this the right way and then maybe we can get into some pointers about what they're doing wrong but we'll pay a few bills and we'll be back in about one minute with Ben Bucco. Hi, I'm Rusty Komori, host of Beyond the Lines on Think Tech Hawaii. I was the head coach for the Punahou Boys Varsity Tennis Team for 22 years and we were fortunate to win 22 consecutive state championships. My show is based on my book also titled Beyond the Lines and it's about leadership creating a superior culture of excellence and finding greatness. I feature a wide range of amazing guests who share valuable insights about how going beyond the lines leads to success in everything you do in life. I'm looking forward to you joining me every Monday at 11 a.m. Aloha. Hey, we're back with Ben Bucco. I wanted to give a shout out to my Vietnam vests behind me, got the wall on the monitor. So thank you guys so much for your service. Hey, Ben, we're getting into this sort of workflow or the flow of the risk through a business. And you were mentioning a bit about the design, the value of the design of the risk measurement, things like that. Take us through your thoughts of how's it done right? What's it look like when it's packaged up properly and used properly to help a business protect itself and potentially save money during a catastrophic problem? Like we're living as a bloke right now? Yeah. As one simple example. And really I think that's key is the assessments that contribute to the mission of the company or the organization that the leaders see as there's a direct connection. So when you're doing a risk assessment, if your risk assessment says here's all the bad things that we think can happen. And here's how likely that that's going to occur. That's pretty fundamental in risk assessment. But the key is translating when you define what are the bad things that can happen that those are defined in terms of what keeps the business running, the organization achieving their mission. And that, and then when you have your, when you come up with, what are the remediation measures, the safeguards to improve the operation? Those need to be written and described in terms specifically of what's the value they were into that mission, not just because it's a good idea. The good idea may be it's regulated and so we need to be in compliance. So good idea means that we don't get a penalty. But that's different than what the business wants to see or the organization is. They've got, there's something that's either for stakeholders, the shareholders, the owner or the government depending on who you're with. There's a reason that organization is there. And if you can't be a one-to-one correlation of what you're doing that matches that mission, you've missed it. And I've had this discussion with a guard supervisor at the front end of the chemical plant. And when they got it, came back a month later and they said, wow, my job just got so much easier. And now I know how to prioritize when I make suggestions, when I know what I need to do every day, what I know I need to improve. And so if the folks that are really down at where some folks would say, well, they're on the lower end of the salary scale versus the real high thinkers that you pay a ton for, it doesn't matter where you are on that spectrum. That insight is valued. That's awesome. Yeah, I think that that could get overlooked. I mean, I'm well out of my element for risk assessment other than understanding the value of it. How are these calculations done? I mean, I've seen what's the fair method factor but anyway, there's a lot of calculation that goes on and I tend to see spreadsheets and drill downs. And I think it's a lot more complex than can be done by walking around and sort of saying that's a five and that's a two and that's a four. I think you sort of end up in the middle of the road more often than you intend to. And as you mentioned, the priority can't get picked out of the data that gets built. Everything's sort of a priority or nothing's a priority, maybe it's what happens. How complex does this crunching get? Well, there's a couple of pieces that feed into that. And one is, if you do an internet search for risk equation, you'll come up with tens of equations. They're all solved, but they're not all the same and they apply with different definitions of the same word. And so that causes a problem. And why is that done? A lot of it is because folks wanna hit the easy button and it's easy to come back and say, wow, I think this is a, I'm gonna go with a five point scale and I'm gonna say that's a one, that's really bad and five is really good or I'm gonna flip it around and I'm gonna have this pretty picture of red, yellow, green, blue and I'm gonna call it a calculation that most risk assessments, they'll pick a risk equation and usually it's, the simplest one is the risk equals what is the impact of loss times the probability of loss. So what's my consequence times my probability and you multiply that together. Well, if I multiply a five and that five can be anything from, that's really, really bad, that's the definition. Five is really, really bad and one is really, really good. Well, if I multiply really, really bad times it happens a whole lot, what's my answer? It's really meaningless. Okay. Because there's no context around, I can't, I'm trying to pretend like I have a rating and I'm treating it like it's a hard number that I can be math with. Well, you can use those ratings very well to organize your information but the calculations need to be made with more precise information and you get a lot of pushback saying, well, I really don't know how often this is gonna happen. The challenges, there are ways that you can say, here's my probability that I think when I flip a coin I think that it's gonna be heads 50% of the time and I have a confidence factor in that rating that I say 50% of the time it's gonna be a heads and I'm 100% confident that that's what it's gonna be because there's only two sides of the coin. I can also say, I think it's gonna be heads because for whatever reason, I say it's gonna be heads 75% probability but my confidence level is a lot lower. If you've come across with that and you can train people to do this, it doesn't take long to train people to think that way and they get calibrated and now I can actually, I can make my calculations with real numbers and I can present them in my one to five scale rating so that it makes it easier to put on a chart and I got real numbers behind it that are statistically defendable and I've taken away some of the human nature which we've seen in practice and we've seen in study that says, one, if you're gonna rate something from one to five on average folks are gonna get, they're gonna get tired of where the ratings are and you're gonna get a lot more of two's, three's and four's because I'm not gonna take that personal well, I'm really not sure if it's a four or five but if I put a five down there, it's gonna make it look really bad or really good and I'm not sure, so everything converges to the middle and so the bigger the scope of your assessment, the more everything looks just the same and that's the recipe for why the organizational executives don't look, it diminishes the integrity of the assessment because it stresses mediocrity and so why should I worry about making my business decisions on a mediocre result that statistically everything comes out in the middle unless it's the, oh my goodness, terrible, terrible, terrible scenario that I came up with that everybody knows that's the way to babbling so why did I spend the whole bunch of my internal resources and external resources for you to tell me exactly what I know with a mediocre basis of rationale? So that's the inherent problem and that's what's been our company challenge and we actually happened in our process that says whatever one's been doing but putting their own name on it and calling it something different, we went down to the math level and said this is the defendable equation, this is the defendable model that fits for your industry, your area and if you have improvements to the model we can apply that into the model, you're not living with it but everything and the whole key is we test that model and give it feedback so it's a closed loop. So you say I think the world is gonna end tomorrow. Well, tomorrow night you test your hypothesis, get it in, well hopefully not. But effectively that's how you make sure your model is real and it's not just, I hired Ben Butchko because I really think he's got a good opinion and last year I hired Andrew on a different area because he's got a really great opinion and he gave me all kinds of great charts and everything but okay, they're pretty but I just paid for your, I paid for your opinion which is great but if I have a whole company to do I need to have everyone produce the same results because I'm not gonna get Andrew landing at every single site every single day and he's not always on top of his game. Some days he's more tired than others Ben Butchko the same way. So that's where the math comes in and you have your tools embed the math so that the people using it think about what's important to their business. That's how you get success. Awesome, so the, I like the idea of taking the, or at least having correctable human behavior because anything like that that's being done by people is gonna have that variability of their experience day to day, they're gonna miss things or they're gonna feel differently about that thing today than they did yesterday and grade it differently when it was the same thing, right? That's gonna happen with human beings. So that's very interesting to use math to correct them. Hey, we've got about a couple, about two minutes, a minute and a half left. What's the one takeaway you would give business owners if they wanna engage in a risk assessment? What's the one caution or point or two you'd give them to make sure that's effective for them at the outcome, you know, when they're done? The quick piece and it's like most projects start with what is defined success? What is it you're trying to, what's gonna make that successful again? Define what you mean by risk assessment. Be clear that you want more than one perspective involved in that assessment so that I can get that broader scale. And if I wanna know, I wanna know just how my network is going to be impacted and say I wanna specifically give me all the details on my network. If I wanna answer the question of is my manufacturing plant gonna meet its targets this year and address supply chain and production and labor, make sure you got those people engaged and set the rules up front, make sure they're using the same measurement tools and the same definitions for all the words they're sent, they're coming through and then the rest are in the details and we can teach people how to do the details so they can do it on their own but that's generic where everybody can help themselves. That's awesome. There you go, folks. There's a tip from Ben and Ben, when your product launches I wanna get you back on here to walk us through some of the under the hood stuff if you get a chance, sir. I really appreciate you joining me today. Thank you very much. Hey, be safe out there, everybody. Aloha, take care of yourself, stay sheltered. We're gonna get through this crisis and hopefully get back to having our country growing again. Aloha and take care.