Sunday, January 24, 2010

Drawing internal buy in for improved Risk management

After my latest posts about risk management (identity management basics and getting the best out of your data) I was asked a great question I think about every day: it's great to have a methodology and a strategy, but how do you get other people in the organization (whether inside or outside of the risk management group) to agree and work with you?

Well, trying to both shape and implement a new terminology is as hard as any other change management, and is very similar to any type of internal marketing: the right catch phrases, proper branding and the right timing and location will do wonders. None of those will work if what you're "selling" is a bad product - an inconsistent, over-complicated or over-simplified method that people cannot use will never be as easy to implement as will a coherent system that makes sense and can be fairly easily comprehended - and used.

Nevertheless, even given a good system this is no mere feat. What are the keys to success? In my experience, there are three:
  1. Ownership: what this means is that you take responsibility over the area you are looking to improve. Too many times I have seen a person or a team trying to change a process or a notion while assuming the consultant position; in most cases, they will fail, because the key for making a change is rolling up your sleeves and making something happen. "If you build it, they will come", and "They" here are the aggressive achievers in your organization, the ones that recognize something that works and are not afraid to try and learn it. Stop saying "I told you so" and start doing!
  2. Transparency: no siloed organization make a change outside of its own boundaries. Only inclusion of other teams, clear communication and eternal repetition of your messages, coupled with deliverables, can make any type of substantial difference. Don't take the traditional risk management approach - don't scare people with the horrors that might happen if they invest in a project; instead, say: "this is what might happen, this is why, and this is how I intend to solve it. Want to help?".
  3. Gradual Enablement: think of new ways to say "yes". If your system is truly innovative it will allow you to take risks others can't because you can understand and manage them better. Still - don't rush into it, because small successes are key for maintaining momentum; use pilots and rapid prototyping to prove that something can be done, and expand responsibly. This way you can prove you can stop more fraud while not hurting users - and get the charter to expand.
Is this the magic bullet? No, but these keys will put you on the road to success, because they earn you the trust of partners while delivering the results you need to fuel your system. And, if we all adopt this point of view, risk will start being a driver of innovation of payment companies - definitely a time I would love to see coming.

Tuesday, January 19, 2010

No more secrets: managing risk when access control breaks

This post is a first in a series I will be exchanging with Allison Miller, one of my esteemed colleagues in Paypal's Risk organization, in her reinstated blog.

“Man may be defined as the animal that can say "I," that can be aware of himself as a separate entity”. (Erich Fromm)


“Identity” is a widely debated term, in various areas; Philosophy, psychology and social sciences discuss various aspects of the individual’s and a society’s identity and its representation in media, art and academic thought – from the Buddhist extremity of no-self to the capitalist self-definition based on what you buy, the variety of ancient and modern thought around definitions and applications of identity is vast. Loyal to the spirit of individualism in the Western world, the development of the New Age movement over the last decade led to the calling to each of us to find our own “true identity” through introspection; supported by modern psychology, the journey of identity constantly drives for defining, consolidating and presenting our personalities through titles that illuminate various aspects of our day to day behavior as part of a healthy, consistent and coherent identity that is who we are.

Wednesday, January 13, 2010

A call for resumes (in the bay area)

Over the past months I’ve been telling you about my take on risk management, automated decisions, digital goods and various other areas. I am now starting to look for candidates for my team to deal with these exact areas within Paypal – so if you’re one or think you know one, please let me know. This is not a formal job description, just a call for resumes so that I know you’re out there once I can hire you.

What I’m looking for is results driven, quick thinking do-it-alls who want to be involved with new products, markets and risk challenges within Paypal. You should have the passion for consuming a lot of data and information, be able to learn quickly and identify and define trends in concise terms. You should be analytical but not a data cruncher without any understanding of the big picture – we are playing at all fronts. Know or be able to learn how to drive processes through other people and organizations; working in ambiguous situations and coping with change is a must, as well as an ever changing operating rhythm. This is not your classic 9 to 5 and I’m not your classic 9 to 5 manager.

Experience is not a must (=graduates are also encouraged to apply), definitely not previous experience in risk management. However, please be an avid internet user, preferably a gamer in your past or present. Some security experience or tech savvy is a big plus – don’t get intimidated by developers, architects and tech talk. Impress me by having interesting hobbies out of work that you maintain although you are an aggressive achiever, and by having vast general knowledge (as in: you shout answers at “who wants to be a millionaire” while watching it on TV).

Read the blog. Process. Understand. Talk to me.

Email me at osamet67@gmail.com for more details and a nice chat :)

Thursday, January 7, 2010

Too much information: you may just have all the data you need

"This was not a failure to collect intelligence, it was a failure to integrate and understand the intelligence that we already had." NYTimes quoting President Obama after his meeting with national security advisers about a terror plot to bring down a commercial jetliner on Christmas Day. (Jan 6th 2010)

Going to the movies with friends from the intelligence community is never a cheerful experience. Spending two hours in a conspiracy movie with people who sometimes while seeing a (seemingly) absurdly powerful data collection device say “ah, I know this system”, will make you a firm believer in conspiracy theories or at least a more paranoid individual. But even the most tech savvy and well informed of those people talk like Pres. Obama in that quote above – it’s not lack of data, it’s our inability to process it that limits us. Maybe project ECHELON really stores all of our communication – but what super computer and what sophisticated algorithms can process and identify all of the world’s pictures, plethora of dialects in written natural languages and voice calls? You know what? If you know the answer, I’m not sure I want to know.