“It’s OK. The competitor isn’t talking, so we can say anything we want.”
But what if “the competitor”…is YOU?
Get in the content conversation: https://bredemarket.com/cpa/
(Imagen 3)
RACI WOMBAT Talk
Earlier this month I posted a revelation:
I don’t want to reveal Bredemarket’s secret process, so I’m just going to call it WOMBAT. Not that WOMBAT is unique to Bredemarket; far from it. Many companies use WOMBAT.
And many companies don’t use WOMBAT. In fact, they abhor WOMBAT and call it stifling. (Emotion words. Geddit?)
But I’ve found over the years that if you don’t use WOMBAT, there’s a very good chance that you’ll break things.
And who catches hell? The consultant. “Why did you do what we asked you to do? Now look at the mess you made!”
So out of a sense of fear and self-preservation (geddit?), there are times that I’ve secretly used WOMBAT and not told my clients I’m doing it.
Well, I’m going to reveal one component of WOMBAT in this post because I’m surprised that I haven’t already discussed it.
But there’s a risk involved, because once I discuss this component, there are about five people in the world who will immediately know what my WOMBAT is. But luckily for me, none of them read the Bredemarket blog, so my secret is safe.
(Speaking of risk, the racy—not RACI—wombat image was created by Imagen 3.)
RACI
As some of you undoubtedly figured out, I’m going to discuss RACI: Responsible, Accountable, Consulted, and Informed.
Assume for the moment that Bredemarket grows beyond its sole proprietorship origins and becomes a multinational employing thousands of people. At some point I’ll be sitting in my luxurious executive suite, nibbling on caviar, and I’ll bark out an order:
“Write a blog post about a wildebeest amusement park!”
Now the blog post won’t just magically happen. And because the fictional Bredemarket is a huge enterprise, it will take more than one person to make it so. Perhaps four, perhaps more, perhaps fewer. Here’s how Bob Kantor at CIO defines Responsible, Accountable, Consulted, and Informed:
Responsible: People or stakeholders who do the work. They must complete the task or objective or make the decision. Several people can be jointly Responsible.
Accountable: Person or stakeholder who is the “owner” of the work. He or she must sign off or approve when the task, objective or decision is complete. This person must make sure that responsibilities are assigned in the matrix for all related activities. Success requires that there is only one person Accountable, which means that “the buck stops there.”
Consulted: People or stakeholders who need to give input before the work can be done and signed-off on. These people are “in the loop” and active participants.
Informed: People or stakeholders who need to be kept “in the picture.” They need updates on progress or decisions, but they do not need to be formally consulted, nor do they contribute directly to the task or decision.
Personally, there may be cases when you only want a single person to be responsible for the work. But I agree that only one should be accountable.
Applying RACI
Using my ludicrous example, one (or more) people will be responsible for writing the wildebeest amusement park blog post, a single person (presumably one of my junior vice presidents) will be accountable for approving it, and various entities will be consulted for feedback (and, in the ideal world, may actually provide feedback). Then there are a few people who will be informed about the project, merely to roll their eyes at the whole thing.
Regardless of the process you institute, whether it is my super-secret WOMBAT process or something else, RACI responsibilities will help tremendously. Here’s another quote from Bob Kantor at CIO:
Having managed and rescued dozens of projects, and helped others do so, I’ve noted that there is always one critical success factor (CSF) that has either been effectively addressed or missed/messed up: clarity around the roles and responsibilities for each project participant and key stakeholder. No matter how detailed and complete a project plan may be for any project, confusion or omission of participant roles and responsibilities will cause major problems.
And some Accountable person approved what Kantor said.
Reapplying RACI
And this also affects Bredemarket’s content, proposal, and analysis work. For example, let’s look at the proposal that I recently helped a Bredemarket client win.
- Two of us were jointly responsible for completing and submitting the proposal: myself, and a person at the client company. Yes, I know what I just said about preferring that only one person be responsible, but the federal agency in question would not let me submit the proposal; someone from the client had to do it.
- This second person was the one who was accountable for the submission of the proposal.
- There were several people who were consulted regarding this proposal. I cannot reveal their roles, but let’s just say that all of them were…um…critically important.
- Then there were a few people here and there who were informed of the proposal progress.
Perhaps Bredemarket can work on a project with you. Let me know. https://bredemarket.com/cpa/
Frame, Assess, Respond, and Monitor (FARM) in Third-Party Risk Management
I just listened to a third-party risk management (TPRM) Mitratech webinar about NIST cybersecurity frameworks, hosted by OCEG, which talked about a farm.
No, they’re not planting corn at NIST’s Gaithersburg headquarters.
(At least I don’t think so. I haven’t been there since early 2009, back when Motorola and Safran people couldn’t talk about the possible acquisition. We did anyway. But I digress.)
Back to TPRM. In Mitratech’s case, FARM stands for “frame, assess, respond, and monitor.”
Here’s how Mitratech introduced the topic in a 2022 post:
NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.
If you visit the latest (as of 2024) update to SP 800-161, you can find NIST’s explanation of the FARM in Appendix G. The three referenced levels in the quote below are the enterprise, mission, and operations levels.
The first approach is known as FARM and consists of four steps: Frame, Assess, Respond, and Monitor. FARM is primarily used at Level 1 and Level 2 to establish the enterprise’s risk context and inherent exposure to risk. Then, the risk context from Level 1 and Level 2 iteratively informs the activities performed as part of the second approach described in The Risk Management Framework (RMF). The RMF predominantly operates at Level 3 [SP80037], – the operational level – and consists of seven process steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.
Briefly:
- Frame establishes the context.
- Assess is the risk assessment itself.
- Respond is where the assessors communicate the results of the assessment and propose mitigations and controls.
- Monitor is compliance verification and continuous monitoring.
Section G.2 of the document includes much, much more detailed definitions of the FARM elements, should you be interested. I’d provide those details myself, but then I fear I’d have to say to you, “Sorry if I’ve stayed too long.”
Earthquake Phone Alerts Work
Back when AOL keywords roamed the earth, you didn’t learn about an earthquake until you felt it. Now, sensors and smartphones attempt to provide advanced notice.
A little while ago my phone started beeping loudly. By the time I figured out why, I felt a strong jolt.
Luckily it was 90 miles away from me, and it was NOT a 6.0 as initially reported. (Helpful hint: an earthquake’s magnitude is never as initially reported.)
But it appears that many of us received advance warning.
Now if everyone can agree on the magnitude…
Replacing Underage Age Estimation With Underage Age Verification
Why do we have both age verification and age estimation? And how do we overcome the restrictions that force us to choose one over the other?
Why age verification?
As I’ve mentioned before, there are certain products and services that are ONLY provided to people who have attained a certain age. These include alcohol, tobacco, firearms, cannabis, driver’s licenses, gambling, “mature” adult content, and car rentals.
There’s also social media access, which I’ll get to in a minute.
So how do you know that someone purchasing one of these controlled products or services has attained the required age?
One way is to ask the purchaser to provide their government identification (driver’s license, passport, whatever) with their birthdate to prove their age.
This is known as age verification. Provided that the ID was issued by a legitimate government authority, and provided that the ID is not fraudulent, this ID provides ironclad assurance that you are 18 years old or 21 years old or whatever the requirement is.
But let’s return to social media.
Why age estimation?
If you’re Australian, sit down for a moment before I share the following fact.
There are jurisdictions in the world that allow kids as young as 13 years old to access social media.
However, these wild uncontrolled jurisdictions face a problem when trying to determine the ages of their social media users. As I noted almost two years ago:
How many 13 year olds do you know that have driver’s licenses? Probably none.
How many 13 year olds do you know that have government-issued REAL IDs? Probably very few.
How many 13 year olds do you know that have passports? Maybe a few more (especially after 9/11), but not that many.
So how can you figure out whether Bobby or Julie is old enough to open that social media account?
One way to do so is by using a technique called age estimation, which looks at facial features and classifies people by their estimated ages.
The only problem is that while age verification is accurate (assuming the ID is legitimate), age estimation is not:
So if a minor does not have a government ID, and the social media firm has to use age estimation to determine a minor’s age for purposes of the New York Child Data Protection Act, the following two scenarios are possible:
An 11 year old may be incorrectly allowed to give informed consent for purposes of the Act.
A 14 year old may be incorrectly denied the ability to give informed consent for purposes of the Act.
So what do you do?
How to perform underage age verification
Biometric Update points out that there is an free alternative for underage people ages 13-15 in the United Kingdom—the CitizenCard. These cards are issued in four categories:
- ’18+’ for adults
- ’16-17′ for those aged 16 to 17
- ’13-15′ for children aged 13 to 15
- ‘Under 13’ for younger children
“OK,” you may say, “but so what? Anybody can print a card that says anything they want, like Alabama’s John Wahl did. Why should anyone accept the CitizenCard?”
Well…people, um, trust it.
CitizenCard is the only non-profit, UK-wide issuer of police-approved proof of age & ID cards….
CitizenCard was founded in 1999 and is governed by representatives from the National Lottery operator Allwyn, the Co-op, Ladbrokes & Coral owner Entain and the TMA.
CitizenCard…is the longest-established and the largest issuer of Home Office-endorsed PASS-hologram ID cards in the UK with more than 2.5 million issued.
[CitizenCard] is audited by members of the Age Check Certification Scheme on behalf of PASS to ensure that the highest standards of UK data protection, privacy and security are upheld and rigorous identity verification is carried out.
So one could argue that you don’t need age estimation in the UK, because there is a well-established way to VERIFY ages in the UK.
However, there are other benefits to age estimation, including the fact that estimation is frictionless and doesn’t require you to pull out a card (or a smartphone) at all.
How Do You Maximize Impact For the RIGHT Awareness?
It’s not enough for your company’s prospects to know who you are, but it helps. But you can do more than that…with Bredemarket’s help.
Who are you?
I just searched for the leading software providers in a particular category. This isn’t unusual. If someone wants to purchase software, they will often conduct their own research before letting themselves be pestered by salespeople.
My category search turned up several software packages.
It DIDN’T turn up numerous others in that category.
So a whole bunch of companies are already at a disadvantage, and there’s a good chance that their competitors are going to take their money because the software buyer won’t even think of purchasing from them.
The software buyer has no AWARENESS of these other software packages.
The Bredemarket website has an entire page on awareness, in which I make the following point:
“Two discussions of this three-step sales funnel are provided by Venn Marketing and Walker Sands (the latter of whom throws in things that happen AFTER the purchase, engagement and advocacy).
“Both sources define awareness as the first step in the funnel, and its purpose is to (drumroll) simply make prospects, um, aware that you and your product/service exist.”
Obviously there are other things you need to do to end up with a happy customer, but you’ll never get a happy customer if it doesn’t even know about you during the prospect stage.
Awareness of what?
Now there are all sorts of ways to raise awareness, but some are better than others.
- I previously linked to the story of Beatrice’s rise and fall, in which the fall was illustrated by the infamous “We’re Beatrice” campaign. The tagline? “We’re Beatrice.” What did the tagline mean to prospects? Absolutely nothing.
- I knew of another company that was slightly more successful, but not much. Instead of saying “We’re (COMPANY NAME),” they loudly proclaimed “We’re a Unicorn.” This was back during one of the periods of heated market acquisitions. But what difference did the company’s unicorn status mean for its prospects? Not much. If you’ve raised a billion dollars, I only care if you promise to give me a couple of million of it.
- Here in Southern California, Honda car dealers have banded together to produce ads about the “helpful Honda people.” Unfortunately, the ads have nothing to do with cars, the products these commercials are supposed to be selling. What difference does a Honda dealer’s helpfulness make? Unless your cat is stuck in a tree, not much.
It’s not enough for your company’s prospects to have awareness about you. They need to have awareness about how you can solve their problems.
Only then will you make an impact.
Raising awareness
Perhaps your company needs to raise awareness of your solutions to your prospects’ problems.
Bredemarket can work with you on this, asking questions and even engaging in…um…WOMBAT to produce impactful content for your company and its products and services.
So that your prospects know about you.
Then we can work on the next steps, consideration and conversation.
Book a free appointment to talk to me: https://bredemarket.com/cpa/
(All pictures from Imagen 3)
FinCEN Domestic BOI Changes: Terrorists Have Not Already Won
A Bredemarket message about financial identity and anti-money laundering (AML) enforcement.
Tell your firm’s fraud-fighting story: https://bredemarket.com/cpa/
(Money laundering picture from Imagen 3)
Don’t Know Your Business and Corporate Transparency Act Limited Enforcement (Oh BOI Again)
AuthenticID shared the following:
“In March, the U.S. Treasury Department announced it would no longer enforce the Corporate Transparency Act, the anti-money-laundering law that requires millions of businesses to disclose the identity of their real beneficial owners.”
Not entirely accurate as we will see, but the details are gated. But not at JD Supra:
“On March 26, 2025, FinCEN issued an interim final rule and request for comments, removing the requirement under the Corporate Transparency Act (CTA) for both U.S. companies and U.S. persons to report beneficial ownership information to FinCEN. The rule is effective March 26, 2025. Thus, subject to additional rule changes, U.S. companies and U.S. individuals no longer have to file an initial Beneficial Ownership Information Report (BOIR) or otherwise update or correct a previously filed BOIR.”
As the interim rule itself clarifies, foreign companies still have to report.
“On March 2, 2025, Treasury announced the suspension of enforcement of the CTA against U.S. citizens, domestic reporting companies, and their beneficial owners, and Treasury further announced its intent to engage in a rulemaking to narrow the Reporting Rule to foreign reporting companies only.”
The interim rule itself addresses the convoluted history (one, two, three) of FinCEN’s attempts to enforce anti-money laundering (AML) laws as court challenges persist.
I will let you judge whether this is welcome relief from bureaucracy for American companies, or a huge FinCEN loophole that facilitates AML financial identity evasion by simply letting companies represent themselves as domestic, allowing them to launder as much money as they please for terrorists, drug dealers, and others.
Not that I have an opinion on that.
(Business terrorist image Imagen 3/Google Gemini)
Know Your Political Influencer
In an article with a clickbait title, Newsweek reported on the indictment of Massachusetts state Representative Christopher Flanagan on various fraud charges. One of the allegations:
“Beyond the five wire fraud counts, the grand jury also indicted him on one count of falsifying documents related to a campaign flier. The mailer from “Conservatives for Dennis” endorsed Flanagan….[He attributed] “the source of the Mailer to a false persona, ‘Jeanne Louise,'” whom he created for the endorsement….In October 2023, he admitted to OCPF that Jeanne Louise “was fake” and he was the source of the mailer.”
There is so much effort to identify voters. What about identifying the sources of political endorsements?
Does your company have a solution to this? I can help you tell your story. Go to https://bredemarket.com/cpa/.
(Picture from Imagen 3)
Pay No Attention to That Man Behind the Curtain
H/T Donal Greene for this story of non-person entities that were really people.
“The nate app purported to take care of the remainder of the checkout process through AI: selecting the appropriate size, entering billing and shipping information, and confirming the purchase….In truth, nate relied heavily on teams of human workers—primarily located overseas—to manually process transactions in secret, mimicking what users believed was being done by automation.”
Now the DOJ is indicting Albert Saniger for defrauding investors: https://www.justice.gov/usao-sdny/pr/tech-ceo-charged-artificial-intelligence-investment-fraud-scheme
(Picture from Imagen 3)
Bredemarket 