FCPA: Modern Day "Smoking Gun"...

Corporate malfeasance is on the mind of most global executives today. Their enterprise is consistently fighting the economic challenges and at the same time defending it's reputation as new "Smoking Guns" are revealed. Perhaps these modern day discoveries of wrong doing should be renamed "Smoking Digital Evidence" because this is exactly what it is. Information uncovered through normal monitoring practices or as the result of a specific investigation produces "Red Flag" alerts based upon acceptable use policy or corporate rule sets.

These "Red Flags" uncovered in the context of programs devoted to processing digital evidence is now a standard Modus Operandi for corporate governance, legal and operations risk management. These new tactical business units are being developed in a rapid response to new regulatory and compliance mandates yet the greater pressure is coming from the wake-up calls senior executives have been receiving lately.

The Justice Department's probe of the credit default swaps market is reportedly focusing on Markit Group Holdings Ltd., the London-based supplier of prices in OTC derivatives, and its relationship to a group of major banks that own a stake in the company. The DOJ is scrutinizing the ownership of Markit by a group of banks that control a large amount of pricing in the $28 trillion credit derivatives market.

The banks have received a notice of investigation from the DOJ asking them for details on their trading activity, including how much they have at risk in the market and their monthly value of their credit default swaps, according to Bloomberg News. Banks that own the largest stakes in Markit, include: J.P. Morgan, Bank of America (through its acquisition of Merrill Lynch), Deutsche Bank, Royal Bank of Scotland which acquired ABN Amro, as well as Credit Suisse, Goldman Sachs, Morgan Stanley and UBS, according to Bloomberg News.

"The DOJ is looking to find any wrongdoing in that marketplace," commented Paul Zubulake, senior analyst at Aite Group in an interview with Wall Street & Technology. "Obviously that is going to open up a large can of worms," he said. "It will be costly for the dealers that have to battle the DOJ given the discovery issues, about all the information, emails and instant messages they will need to turn over."

Digital Forensics, Records Management and eDiscovery units at some of the largest financial institutions are working overtime. Finding any "Smoking Digital Evidence" will be the standard operating procedure on most international transactions whether it be in the financial services industry or even telecommunications:

Good news for compliance officers: You now have solid evidence that the benefit of implementing an effective compliance program far outweighs the cost, in the form of the massive Foreign Corrupt Practices Act settlements swallowed by Siemens AG and three of its foreign subsidiaries.

Siemens, a German conglomerate that is one of the largest engineering firms in the world, agreed in December to pay more than $1.6 billion to U.S. and German regulators for a massive bribery scheme that felled the highest executives at the company. Penalties paid to the Justice Department and Securities and Exchange Commission alone topped $800 million, by far the largest sanction ever imposed in an FCPA case.

In the following excerpt, Linda Chatman Thomsen speaks on the massive Siemens investigation: "Furthermore, the $1.6 billion total that Siemens will pay in these settlements is the largest amount that any company has ever paid to resolve corruption-related charges.

And that is fitting because the alleged conduct by Siemens was egregious and brazen. It was systematic, it involved thousands of payments, and it occurred over an extensive six-year period. Siemens created elaborate payment schemes to conceal these corrupt payments to foreign officials. The company’s inadequate internal controls allowed the conduct to flourish.

The details tell a very unsavory story: employees obtained large amounts of cash for Siemens’ cash desks; employees sometimes carried that cash in suitcases across international borders to pay bribes; payment authorizations were recorded on post-it notes that were later removed to avoid leaving any permanent record; there were slush funds and a cadre of consultants and intermediaries to facilitate paying the bribes.

Investigating this intricate scheme and righting Siemens’ wrongs has taken a remarkable and unprecedented level of coordination among many law enforcement agencies around the world."

The internal threat of employees, partners and so called in-country agents who help facilitate business deals is one square in the risk management matrix. The business transactions themselves are becoming part of the Venn Diagram that includes:

• Business & Global Commerce
• Personnel Security & Integrity
• Rule of Law & Litigation

As global institutions continue their expansion across the continents where capital follows security and the rule of law, so too will the attacks on the corporate enterprise.

operational risk

Trusted Systems: Human Factors in Play...

The case is U.S. v. Dreier, 09-cr-00085, U.S. District Court, Southern District of New York (Manhattan). It's only the beginning of a long hard road for many unidentified subjects (unsubs) as the fall out from the U.S. Economic crisis uncovers who was stealing others peoples money for their own fraudulent schemes.

Marc Dreier, the New York law firm- founder who pleaded guilty to defrauding hedge funds of more than $400 million, should be sentenced to 145 years in jail, prosecutors said, as a defense lawyer sought a term of as little as 10 years.

The rival requests came in court filings today in federal court in Manhattan. Dreier will be sentenced on July 13 by U.S. District Judge Jed Rakoff. Investors who placed more than $740 million with Dreier lost at least $400 million, lawyers said.

Operational Risks associated with 3rd party suppliers is a continuous concern. Effective due diligence with partners and service providers is a necessary task, on a quarterly basis. Many institutions leave it up to the service level agreement (SLA) or the written contract to be the monitor. To their demise, written words on a contract are not enough. Especially, when the partners are the lawyers themselves.

New York prosecutors on Wednesday said 13 people and a mortgage origination company have been indicted on charges of running a multimillion-dollar real-estate fraud that cheated lenders through sham sales.

The defendants include employees at the Long Island, New York-based mortgage company AFG Financial Group Inc, several attorneys and other defendants, according to Manhattan District Attorney Robert Morgenthau.

The investigation is continuing, and Morgenthau said the size of the scheme could eventually total $200 million.

One lawyer accused of engaging in fraudulent transactions was involved in transactions adding up to more than $100 million, Morgenthau said.

Lenders who were victimized in transactions made by that one lawyer included New Century Mortgage Corp, WaMu/Long Beach Mortgage Co, Countrywide Financial, First Franklin Financial Corp and Mortgage Network USA Inc.

The financial services sector will continue to be a quagmire for transactions for decades to come. The due diligence, fact checking and assurance that the "Deal" is a solid one will continue to under go a tremendous burden on all parties. The consumer, the lender and the underwriters.

The human factors associated with crimes such as fraud are well known. The study of the "Ponzi Scheme" has been a text book case for study in business schools for years. What may not have been so obvious is the science behind the human motivators. And maybe not even noticeable, is how accustomed the human is to trusting the automated world we live in. The fact that computers calculate what we have purchased in the retail store is one of the first trusted information scenarios we grow up with. How many people actually add up all of the dozens of items in their grocery cart, calculate the tax and any discounts to see if the Point of Sale (POS) system has done it's math correctly?

So what is Human Factors Science?

Human factors are sets of human-specific physical, cognitive, or social properties which either may interact in a critical or dangerous manner with technological systems, human natural environment, or human organizations, or they can be taken under consideration in the design of ergonomic human-user oriented equipments. The choice/identification of human factors usually depends on their possible negative or positive impact on the functioning of human-organization and human-machine system.

Did someone try to steal Goldman Sachs’ secret sauce?

While most in the US were celebrating the 4th of July, a Russian immigrant living in New Jersey was being held on federal charges of stealing top-secret computer trading codes from a major New York-based financial institution—that sources say is none other than Goldman Sachs.

The allegations, if true, are big news because the codes the accused man, Sergey Aleynikov, tried to steal is the secret code to unlocking Goldman’s automated stocks and commodities trading businesses. Federal authorities allege the computer codes and related-trading files that Aleynikov uploaded to a German-based website help this major “financial institution” generate millions of dollars in profits each year.

Trusted Systems and the information that flows from them is only as good as the programs that run them and the people who developed the millions of lines of code in the software. The trading systems at the NYSE, NASDAQ and Hang Seng Index are only as reliable as the calculations and the integrity of the systems themselves. When that trust is compromised in the trusted system, whether it be a program or a person, human factors take over.

operational risk

4th of July: Flying the Stars & Stripes of Freedom...

The U.S. (Uncle Sam) celebrates 233 years tomorrow. The Stars and Stripes of our flag will be flying high. How far we have come and yet we still envision that we have so far to go.

Celebrating the 4th of July in the United States means different things to different people. It all depends on your tenure here and how you have contributed to defending the freedoms we all share. And for those who have made the trip to our borders or overseas to defend our country, we give special thanks.

Two years ago we saluted Spencer S. on Memorial Day, as he prepared to make his way to being deployed to Iraq. He is still there now, an Airborne Medic and we are thinking about him and all those other families who have sent their sons and daughters, husbands and wives, brothers and sisters, or fathers and mothers into harms way to defend our freedom. We are humbled by your courage and thank you for your selfless contributions to keep us more safe and secure back home.

The Patriots of the U.S are vast and found everywhere, serving the country in uniform by military or law enforcement, in suits and ties or dresses among the halls of government agencies found in small towns and famous suburbs like Langley. These millions of patriots and citizen soldiers are working to defend the truth of the Declaration of Independence and our Constitution.

At the same time, they are all Operational Risk Managers, mitigating the daily risks to life, property and our vital economic assets. Mike Stanley of the American Legion captures the essence of the early days of our country:

The United States of America began as thirteen different English colonies established along the eastern seaboard during the 17th & early 18th centuries. Gradually many of the colonists began to think of themselves more as Americans and less as Englishmen, a feeling that was spurred on by the decision of the British Parliament in the 1760s to tax the colonies for the expenses associated with keeping them in the British Empire. Since the colonists had no elected representatives in the British Parliament, they felt that these new taxes were “taxation without representation” and therefore, illegal.

From this point, the situation escalated quickly as Patriot groups formed to discuss the possibilities, and by the early 1770s, the Patriots had their own Provincial Congresses in each of the thirteen colonies, effectively replacing the representatives of the British government. In 1775, the Second Continental Congress was established, the Continental Army was organized, and fighting broke out when the British responded by sending combat troops to the colonies.

Finally, on July 4, 1776, the Declaration of Independence was signed, establishing the United States of America. The fierce determination of the Patriots to prevail, plus the important military and political support of the French, the Spanish & the Dutch, insured an American victory, and in 1783, the signing of the Treaty of Paris ended the American War of Independence and guaranteed the sovereignty of the United States of America.

Conflicts in the 21st century will be fought for many of the same reasons, and with a revolution of robots. In P.W. Singer's latest book, "Wired for War" he prepares us for the next 100 years:

What happens when science fiction becomes battlefield reality?
An amazing revolution is taking place on the battlefield, starting to change not just how wars are fought, but also the politics, economics, laws, and ethics that surround war itself. This upheaval is already afoot -- remote-controlled drones take out terrorists in Afghanistan, while the number of unmanned systems on the ground in Iraq has gone from zero to 12,000 over the last five years. But it is only the start. Military officers quietly acknowledge that new prototypes will soon make human fighter pilots obsolete, while the Pentagon researches tiny robots the size of flies to carry out reconnaissance work now handled by elite Special Forces troops.

Wired for War takes the reader on a journey to meet all the various players in this strange new world of war: odd-ball roboticists working in latter-day “skunk works” in the midst of suburbia; military pilots flying combat mission from their office cubicles outside Las Vegas; the Iraqi insurgents who are their targets; journalists trying to figure out just how to cover robots at war; and human rights activists wrestling with what is right and wrong in a world where our wars are increasingly being handed over to machines.

Maybe someday, Spencer will be able to stay hundreds or thousands of miles out of harms way to defend our countries freedoms, because they won't need medics on the battlefield anymore.

operational risk

Digital Forensics: Right to Question CSI's...

The US Supreme Courts ruling in MELENDEZ-DIAZ v. MASSACHUSETTS will have significant impact on Digital Forensics expert practitioners. Legal cases utilizing the examination of computers and other digital assets containing relevant information will have more testimony by CSI analyst experts. The New York Times report by Adam Liptak says:

Crime laboratory reports may not be used against criminal defendants at trial unless the analysts responsible for creating them give testimony and subject themselves to cross-examination, the Supreme Court ruled Thursday in a 5-to-4 decision.

Noting that 500 employees of the Federal Bureau of Investigation laboratory in Quantico, Va., conduct more than a million scientific tests each year, Justice Kennedy wrote, “The court’s decision means that before any of those million tests reaches a jury, at least one of the laboratory’s analysts must board a plane, find his or her way to an unfamiliar courthouse and sit there waiting to read aloud notes made months ago.”

The outcome of the ruling for the prosecution is that forensic examiners and scientists will be more thoroughly scrutinized in the tests they perform. The process will require more effective documentation and the ability to play back for a jury exactly the process utilized to support any facts of evidence. This will not be difficult as Best Practices today are being utilized such as the video taping of the entire test and examination. Achieving a "Defensible Standard of Care" will however be even more of a priority for Operational Risk Management professionals.

The defendant will have the ability to cross-examine the analyst, whether it was making a determination on what the blood type was of the accused attacker or the date, time, and place that the defendant sent an e-mail from the office computer to a co-conspirator.

In the digital forensics environment, the ruling means that the subject matter experts will simply be spending more time in court and on the witness stand. This will impact the time it takes to conduct the trial yet the rights to examine the process, expertise and documented procedures for the evidence that has been introduced is an important issue.

From an Operational Risk Management point of view, this means that your eDiscovery and Digital Forensics certified examiners will be under the magnifying glass and subject to the questioning by counsel. We see an increased attention related in civil matters coming soon. Several states are asking that the outsourced entities associated with inspection of digital assets be licensed by the state itself, as a Private Investigator. This provision would subject the expert authority to also being legally certified in the knowledge of state laws pertaining to civil procedure, chain of custody and legal procedures on the handling of evidence.

The question remains on whether the Supreme Court Justice's were thinking beyond the test for the presence of a drug, as this case was focused on in MELENDEZ-DIAZ v. MASSACHUSETTS. The defense bar will be utilizing this ruling to go beyond the criminal courts to the civil trials where white collar cases are largely based upon the documents, e-mails and other digital evidence that has been retrieved using forensic procedures.

It will be interesting to see how this ruling impacts the professional licensing, certifications and documentation of examinations for the 21st century Digital Forensic "CSI".

operational risk

Proactive Risk Strategy: Transnational Asset Forfeiture...

Effective strategy execution and the application of intelligence to gain increased mission efficiency is the name of the game. The public / private convergence of people, processes, systems and the fusion of relevant international incidents data establishes the playing field. The threats to the very fabric of our economic and security well-being is directly tied to the rule of law, the safety of the environment and the ability for capital to be invested with prudent risk management mechanisms in place.

If any component of this fabric becomes frayed or torn, this vulnerability threatens the overall resiliency of this "Transnational Ecosystem". The homeostasis of the "Transnational Ecosystem" is dependent on the factors associated with it ability to gain new energy, (food, water, power, money) and to continually "Adapt" to it changing environment. The ability to adapt rapidly within this ecosystem will determine who the winners are and also the survivors. So what is a good example of this "Transnational Ecosystem" that we can apply to public / private convergence and Operational Risk Management?

Although pioneered in the USA, there now appears to be a global trend to use stand-alone civil proceedings as a means of recovering the proceeds of crime in the hope that they will be more effective than proceedings that are ancillary to and dependent on a criminal prosecution. Recent examples of jurisdictions that have introduced civil forfeiture legislation include Italy, South Africa, Ireland, the United Kingdom, Fiji, the Canadian Provinces of Ontario, Alberta, Manitoba, Saskatchewan and British Columbia, Australia and its individual States, and Antigua and Barbuda. In addition, the Commonwealth has produced model provisions to serve as a template for jurisdictions that wish to introduce such legislation.

This trend towards civil forfeiture has been prompted by the nature of organized crime. Organized crime heads use their resources to keep themselves distant from the crime that they are controlling and to mask the criminal origin of their assets. For this reason it has become extremely difficult to carry out successful criminal investigations leading to the prosecution and conviction of such individuals, with the result that finances derived from crime are often effectively out of the reach of the law and are available to be used to finance more crime. Such peaceful enjoyment of the proceeds of crime damages public confidence in the rule of law and provides harmful role models. This has led to a recognition that criminal confiscation regimes may be inadequate and ineffective in certain cases.

Traditionally, the use of OPS Risk strategies associated with civil asset forfeiture have their intersection with AML (Anti-Money Laundering) and Terrorist Financing. Moving money on a global basis utilizing the modern day "Hawala" or informal value transfer system requires smart people and sophisticated systems. Putting the person at the right place with the right evidence is the investigators "Holy Grail" yet there are other effective means for increasing that resiliency in the ecosystem.

The financial meltdown and economic crisis has impacted both the "Boy Scouts" and the "Wise Guys" on how to continue to prosper. The use of such tools such as Asset Forfeiture in combination with timely intelligence both Open Source and proprietary can provide the means for another effective Operational Risk strategy in a public / private consortium. The cooperation, coordination and collaboration of banking, hedge funds, broker dealers, insurance companies and private equity firms with federal and state task forces is a growing trend.

The mantra "Need to Know" is quickly being replaced with "A Responsibility to Provide" in the intelligence community and soon to be in the ranks of the financial private sector as it pertains to adapting to the transnational ecosystem. One good example of this momentum can be found in the rapidly growing education and awareness programs focused on this very subject:

Mission Statement

AssetForfeitureWatch.com is the indispensable source of news, information and training for law enforcement professionals and others working in the asset forfeiture field. At AssetForfeitureWatch.com, we understand that turning the proceeds of crime against criminals is one of the most powerful tools law enforcement agencies have for keeping communities safe, eliminating corruption, and crippling cross-border criminal enterprises. In offering training and education, an annual conference, live and Web seminars and an interactive community, AssetForfeitureWatch.com keeps its members on the leading edge of asset forfeiture strategy and practice.

The goal is to utilize the existing international legal framework to improve the resiliency of the "Transnational Ecosystem." Beyond the banking institutions are the governments and countries themselves who must make their decisions about their own business and commerce models. These havens across the globe will continue to exist because they don't have manufacturing capacity, IT outsourcing services or a port for trading and exporting raw materials. Therefore, they will continue to cater to the needs of suspect enterprises, non-state actors and even some rogue nations states.

So what is the lesson here? Reading between the lines. Assets in your portfolio, on your books, in the warehouse or even in your personal possession may soon be the property of a government entity near you.

operational risk

4GW: U.S. CyberSpace OPS Risk...

The Washington, DC beltway bandits are buzzing in anticipation of President Obama's selection for the next defender and policy maker for United States CyberSpace. We wonder what branch of the armed forces s/he will be associated with and to what degree they gain the agreement of the power base that CyberSpace is indeed a "Strategic National Asset", once and for all.

Meanwhile, OPS Risk Managers are dealing with transnational non-state actors (in some cases funded by nation states) that are robbing our private sector and government agencies blind. Stealing Personal Identifiable Information (PII), Corporate Intellectual Property, Defense R & D and classified State secrets. The next commander of U.S. CyberSpace has an even bigger job once the job starts; protecting and defending our country's vital Digital Infrastructure. This nexus of criminal, terrorist and irregular warfare is being waged on a 24/7 basis here in the homeland.

So how do you go about fighting this 4th Generation (4GW) war comprised of well organized, decentralized, clandestine subjects operating in the cyber shadows? This begins with creating an effective Information Sharing Environment (ISE), a fusion of who, what, when, how, where and maybe why. Defending the nation against the physical attacks of the likes of Al-Qaida or the virtual attacks from Yingcracker has some very interesting similarities.

If the next Secretary of U.S. CyberSpace is going to take the fight to those who wish to copy, delete, probe, scan, flood, bypass, steal, modify and spoof their way across our Digital Infrastructure, they could learn from this synopsis from Robert Haddick:

Does it take a network to beat a network?

On June 5 United States Joint Forces Command (USJFCOM) wraps up a week-long war game designed to test the Pentagon's vision of warfare in the future. The war game looks ahead to the year 2020 and examines how U.S. and allied military forces -- along with civilian government, non-government, and international institutions -- cope with a failing state, a globally networked terrorist organization, and a peer competitor. The results of the war game are supposed to influence the conclusions of this year's Quadrennial Defense Review, an in-depth review of the Pentagon's strategies.

Officials at USJFCOM won't discuss the results of the war game until at least July; many of the most interesting conclusions may remain classified. But the commander of USJFCOM, General James Mattis of the Marine Corps, described his vision of the future while delivering a speech at the Center for Strategic and International Studies.

Mattis discussed how today's adversaries have adapted to U.S. conventional military superiority by forming disaggregated networks of small irregular teams that hide among indigenous populations. United States military forces, by contrast, have only come under greater central control. According to Mattis, this shift is due to evolutions in intelligence-gathering and communications technologies. Call it the new iron law of military bureaucracies: when commanders gain the technical ability to micromanage, they will micromanage.

Mattis believes that in order to defeat modern decentralized networks, U.S. forces will have to become decentralized themselves. This will entail giving autonomy to and requiring initiative from the youngest junior leaders in the Army and Marine Corps. High-performance small infantry units, "a national imperative" according to Mattis, will need to operate independent from higher control, finding their own solutions to local problems as they implement broader policy guidance.

Whether the troops are fast roping out of helicopters or behind the flat screen detecting and analyzing the stealth cyber attack, the approach to defeating the adversaries is much the same. Infiltrating the "cells" and collecting valuable INTEL on the global enemy is what gives us the "Ground Truth." The commander for U.S. CyberSpace will soon be educated on the private sectors role in achieving this continuous and lofty goal of a creating more decentralized and clandestine citizen soldiers.

As the private sector battles the non-state actors for preservation and protection of valuable customer data, corporations are simultaneously being attacked by adversarial plaintiff lawyers.

U.S. insurer Aetna has been targeted in a lawsuit alleging it failed to protect personal information of employees and job applicants, documents indicate.

The lawsuit comes after Aetna, of Hartford, Conn., was struck by computer hackers to access a company Web site holding personal data for 450,000 current and former employees as well as job applicants, the Hartford Courant reported Wednesday.

The private sector would enjoy having our government involved in more proactive efforts to seek out and stop these criminal and terrorist entities that prey on organizations that remain vulnerable. The Operational Risks associated with litigation in the corporate enterprise are here to stay. If the public and private sector can once and for all coordinate, collaborate and "Share Information", we can disrupt, capture, prosecute and defeat our cyber adversaries.

operational risk

Continuity of Operations: Mother Nature or Active Shooter...

Continuity of Operations in the context of business gets on the Board of Directors agenda after every tragedy. Whenever the magnitude of the business disruption involves loss of life, or major property damage the executive management goes into "Crisis Management" mode. Unfortunately for many, this may be the only time the Board and corporate executives have tested or exercised for such an incident.

So what is Continuity of Operations? What does it mean to your business? How pervasive does this Operational Risk strategy have to be? Let's think about a simple process from the time a sales person picks up the phone to schedule an appointment to the time the product or service team has delivered or installed the items that have been sold to the customer.

In the context of university higher education, the process of recruiting, admissions, housing, fund-raising, sports and alumni relations. How many touch points, steps in the process or procedures for manufacturing, integration, sourcing, learning and implementation exist? Now think about your supply chain that provides the necessary resources, energy, infrastructure and people to make it all happen. Does this business issue seem like a trivial matter?

The aftermath of any major incident will require a thorough investigation to determine what happened. Everyone will have their version of what they saw, heard, felt and remember about it. Then the finger pointing, litigation and media frenzy begins. Only then do the Board of Directors and Executive Management wish they had practiced and exercised for the eventual day that has now landed on their front door step.

Such an example is in the news again, more than two years after the tragic day in April 2007 on the campus of Virginia Tech University in Blacksburg, Virginia. In Lucinda Roy's latest book, "No Right To Remain Silent", her opinions magnify the need for effective continuity of operations planning, exercises, auditing and testing:

After tragedies like this, people clam up. They are warned that it is too dangerous to talk about the specifics of a case when lawyers are chomping at the bit, when the media is lying in wait like a lynch mob. But people also remain silent when they are worried that what they have to say could injure them somehow.

In the days and weeks that followed the tragedy at Virginia Tech I was reminded of how much silence has to say to us if we listen with care.

Sadly, the tragedy at Virginia Tech did not usher in an era of openness on the part of the administration. Questions that related to the specifics of the shootings, to Cho, or to troubled students in general were viewed in the wake of the tragedy as verbal grenades.

Many of you may remember where you were when you heard the news. Just like you will always remember where you were on the morning of September 11, 2001. Yet April 16, 2007 could very well be more significant as the analysis and the investigation continues.

Sadly, we know how this story turned out: On April 16, 2007, Seung-Hui Cho shot two people to death in a Virginia Tech dormitory, then chained the doors to a classroom building shut and methodically killed 30 more before committing suicide. It was the worst school shooting in American history.

Who knew what when? The litigation is ongoing and some still are seeking the truth. Proving the truth will require substantial analysis of tens of thousands of documents, e-mail messages, hand written notes, depositions, medical records and school work. Yet when it gets boiled down to the facts and the issues, "Continuity of Operations" protocols, practice and preparedness will be at the core of the matter.

Does your organization have facilities where an all hazards approach is talked about and is continuously aware of the threats to life and property along with the economic implications of any business disruption? If you have people and property in California the answer is yes. Earthquakes, brush fires and now even the lack of government resources are existing risk factors. If you have people and property in or near symbolic locations such as New York City's Wall Street, Washington, DC's Capitol, or the St. Louis Arch then your organization should have heightened situational awareness and crisis management mechanisms already in place. The whole State of Florida, North & South Carolina, Louisiana, Texas and others who know the aftermath of Hurricane Katrina are sensitized to the requirements for effective preparedness.

So what is the difference in an event such as the "Active Shooter" scenario on your campus or the catastrophe sent by "Mother Nature"? The answer is the accuracy in predicting the event itself. All the preparedness for either event starts with the mind set that it will happen. Only one can be prevented, preempted or neutralized before it can cause harm.

Sadly, the Report of the (Virginia Tech) Review Panel to the Governor, issued in August 2007, contained important inaccuracies, despite the panel’s best efforts to get to the truth. University officials, it now appears, may have been less than candid and forthright in their responses to the questions put to them by the panel.

operational risk

SOC: Statement of Truth...

Global transnational organizations who provide executive security protective details are on the rise. Corporate personnel who must travel to high risk regions of the globe realize the requirement for a minimal, yet comprehensive security envelope.

Back at the "Security Operations Center" (SOC) you will find a team of subject matter experts working in concert, to continuously enhance the Operational Risk Management matrix. One set of analysts are tasked with the media review and intelligence collection from Open Sources. One example could be CNN or even more regional sources such as Alhurra:

Alhurra (Arabic for “The Free One”) is a commercial-free Arabic language satellite television network for the Middle East devoted primarily to news and information. In addition to reporting on regional and international events, the channel broadcasts discussion programs, current affairs magazines and features on a variety of subjects including health and personal fitness, entertainment, sports, fashion, and science and technology. The channel is dedicated to presenting accurate, balanced and comprehensive news. Alhurra endeavors to broaden its viewers' perspectives, enabling them to make more informed decisions.

Another set of analysts are sifting through online intelligence portals such as Opensource.gov or Data.gov . However, when you have a specific executive who is traveling to a specific country there are more detailed plans and advance work that takes place. These facets of corporate enterprise risk and operational risk management are vital to protect human assets and the ongoing continuity of business operations. Situational awareness enhancement is a 24/7 x 365 day process.

Whether your business takes you to Pakistan, Mexico or South Africa the risk of bombing, H1N1 or criminal elements are a real potential threat:

Rob Watson of the BBC reports on the latest explosion in Lahore:

What is striking about this latest attack, and so worrying for the Pakistani authorities, is the timing and choice of target.

It occurred near the offices of both the local police chief and of the national intelligence agency, the ISI, and comes as the Pakistani military is engaged in a massive campaign against militants in the north-west. So the initial speculation is that this is in some way a revenge attack.

Questions will again be raised about the inability of the authorities to stop the attack altogether given they were clearly expecting reprisals and were on a heightened state after the two other recent attacks in the city.

Executive Protection Detail's have been utilizing the compendium of wisdom and research that is found in Gavin De Becker's latest publication, "Just 2 Seconds" and for good reason:

Think of every assassination you've ever heard about. For most people, a few of these major ones come to mind: Caesar, Abraham Lincoln, John Kennedy, Martin Luther King, Mahatma Gandhi, Indira Gandhi, Anwar Sadat, John Lennon, Israel’s Prime Minister Rabin, Pakistan’s Benazir Bhutto.

From start to finish, all of these attacks — combined — took place in less than one minute. And the hundreds of attacks studied for this book, all of them combined, took place in less than a half-hour. Those thirty minutes, surely the most influential in world history, offer important insights that can help today’s protectors defeat tomorrow’s attackers.

Operational Risk is far more pervasive than detection of fraud, mitigating the loss events from internal information theft or intellectual property. It's been said here in the blog before and it's worth repeating again this statement of truth:

"Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result to obtain their objective."

Whether you utilize this statement within the context of your digital domains, physical domains or the vast set of processes within the enterprise, it does not matter. What does matter, is that those individuals responsible for the survivability and the defensible standard of care of the organization, never forget it...

operational risk

OPS Risk: Military Lesson for Wall Street...

Air Force Brig. Gen. Mark W. Graper, the 354th Fighter Wing commander at EIELSON AIR FORCE BASE Alaska has captured the essence of Operational Risk Management. Corporate Executives and mid-level management should have this made into a poster for their office and hanging in every hallway:

Summer is just around the corner, and many of us are planning for our favorite warm weather activities - fishing, hunting, hiking, motorcycling, camping and more. All of our summer plans can be fun if we keep in mind the basics of operational risk management: Accept risk when benefits outweigh the cost; accept no unnecessary risk; anticipate and manage risk by planning; make risk decisions at the right level; assess and mitigate risk. Stated more simply, have a (prudent) plan, have a backup plan and have a wingman.

Whether you are focused on the safety and security of your personnel, the integrity and confidentiality of your information or the continuity of your business operations it's a fact that effective "Operational Risk Management" will improve your organizations resilience factor. The brilliance of Brig. Gen. Graper's emphasis on this subject away from the flight line or "The Office" , is his understanding that most of us will become more complacent the minute we hit the parking lot. You see, OPS Risk is not just something being advocated in the workplace. It's just as pervasive at home or in our own leisure activities. Whether you are climbing "Denali" or entertaining friends around the backyard pool, you have to be continuously in OPS Risk mode, or it could bring harm to life, limb or your own reputation.

Operational Risk includes the risk of litigation and there is one item you can be certain that is a threat to your corporate integrity. Employees, partners and suppliers to your organization:

Freddie Mac investors have filed expanded court claims accusing the mortgage finance company and three former executives of committing fraud by misleading them about risky loan practices and manipulating financial results.

The allegations, contained in a nearly 300-page court complaint filed late on Tuesday, are based in part on interviews with more than 100 former company employees and others who are described in the lawsuit as having knowledge of Freddie Mac's operations and finances.

One of the unnamed employees cited in the lawsuit is a former director of operational risk management at the company, who was quoted in the complaint as saying that Freddie Mac was an "appallingly run company" and that it was clear as far back as August 2007 that its capital position was inadequate.

"CONFIDENTIAL WITNESSES"

Other so-called "confidential witnesses" cited in the complaint include a former Freddie Mac vice president of investor relations and an ex-senior examiner with the Office of Federal Housing Enterprise Oversight, the company's regulator, now part of the newly formed Federal Housing Finance Agency.

What most organizations the size and complexity of Freddie Mac under estimate, are the speed of change and the socially "connected" market economy. The blur of business combined with the "Holistic Blindness" of what risks are a threat today or this week, can bring an enterprise to it's knees and then to it's ultimate demise.

Whether it's buying and packaging financial assets to sell on Wall Street or keeping your F-22 Raptor in the air to defeat hostiles, OPS Risk is the differentiator. Your survival depends on it.

operational risk

Economic Impact: Hedge Funds Beware...

In a recent ACFE study on the impact of an economic recession, the results are eye opening. More than half (55.4 percent) of respondents said that the level of fraud has slightly or significantly increased in the previous 12 months compared to the level of fraud they investigated or observed in years prior.

Additionally, about half (49.1 percent) of respondents cited increased financial pressure as the biggest factor contributing to the increase in fraud, compared to increased opportunity (27.1 percent) and increased rationalization (23.7 percent).

The survey also found that:

Employees pose the greatest fraud threat in the current economy. When asked which, if any, of several categories of fraud increased during the previous 12 months, the largest number of survey respondents (48 percent) indicated that embezzlement was on the rise.

Layoffs are affecting organizations' internal control systems. Nearly 60 percent of CFEs who work as in-house fraud examiners reported that their companies had experienced layoffs during the past year. Among those who had experienced layoffs, almost 35 percent said their company had eliminated some controls, while 44.2 percent said the layoffs had no effect on controls and only 3.2 percent said their company had increased controls.

Fraud levels are expected to continue rising. Almost 90 percent of respondents said they expect fraud to continue to increase during the next 12 months. Additionally, the fraud most expected to increase is embezzlement.

These results are not too surprising. Internal control systems could be an issue if there are layoffs in the risk management departments or reallocated enterprise resources. The embezzlement schemes come in many forms and they know where and what areas will be neglected in oversight during the economic belt tightening.

Most of these fraudsters are brilliant "con men". They know how to prey on the human factors of greed and fear. Powerful emotions must be monitored by a "Corporate Vigilance" and awareness program. This preempts potential breaches and crisis incidents that will ultimately impact personal and corporate reputations.

Three factors are generally accepted as being necessary for a fraud to occur: pressure, opportunity, and the ability to rationalize illegal behavior. Unfortunately, the presence of each of these factors may rise in periods of economic hardship. Organizations and individuals alike can experience the pressure of increased financial strain. Opportunities for fraud could proliferate as many companies cut their workforces and otherwise reduce expenditures, perhaps leading to reduced internal controls and fewer proactive fraud prevention measures. And bombardments of bad financial news could cause mounting feelings of helplessness, pessimism, and isolation, which may, in turn, allow individuals to rationalize previously unthinkable acts.

So what can you do to detect early the potential existence of a suspected fraudster in your organization without subjecting current employees to retribution or put them into harms way? One effective strategy is to hire an outside entity to perform ongoing interviews and investigations that is independent of the internal audit department or OPS Risk staff. The other step is to compartmentalize the unit in terms of information exchange and to increase overall operational security.

Harry Markopolos, who is responsible for investigating Bernie Madoff for 8 or 9 years did exactly this and for good reason. His team was operating in the field under his direction and was kept secret even while he was talking to the SEC. Why? Some of the off-shore funds Madoff was doing business with were only a few steps removed from organized crime, according to Markopolos. If these firms new that Mr. Madoff was stealing them blind, they could have put some adversarial actions into play.

Once the fraudster gets the indicator that any one is getting close to the point of questioning their behavior, you can bet the evidence will begin to be destroyed or masked. This destruction of evidence can begin with simple deleting of e-mails, documents or the creation of new e-mails or data to mask or cover up the trail of fraudulent activities. This is when the use of Digital Forensic examinations on weekends or evenings while employees are away from the workplace can help reveal the presence of "Anti-Forensics."

The presence of anti-forensic tools to cover their tracks, e-mails or where they are visiting on the Internet might be the first sign that you may have an actual fraud scheme in operational mode. Hidden or encrypted files found on an employees laptop or desktop utilizing unauthorized sofware tools or downloaded freeware is a huge "Red Flag."

It's important for any investigator to consider the human factors and the behavior associated with people under pressure and close to the end of their hidden occupational fraud operation. These typically have been going on for up to 24 months before they are discovered and you can be sure that they have thought about the day when they are finally discovered. The fight or flight mode kicks in at this point and organizations are obligated to mitigate the risks of harm to fellow employees.

Effective Corporate Integrity units in global enterprises require the right internal resources, independent outside expertise and a comprehensive OPS Risk framework to be more successful.

Hedge Funds have been on alert for months now. Marc Dreier, the New York law firm founder accused of defrauding hedge funds by selling $700 million in phony promissory notes, might face life in prison after pleading guilty to fraud charges.

According to prosecutors, victims of the fraud included Amaranth Group Inc., Perella Weinberg Partners, Eton Park Capital Management LP, Concordia Advisors LLC, Novator, Meyer Ventures LLC, Blackstone Group LP’s GSO Capital Partners and Elliott Management Corp.

The case is U.S. v. Dreier, 09-cr-85, U.S. District Court, Southern District of New York (Manhattan).

operational risk

Human Factors: Early-Warning System...

Predictive Intelligence And Analytics From 1SecureAudit Provides Transnational Organizations With A Preemptive Human Factors Early-Warning System

According to Managing Director and Chief Risk Officer of 1SecureAudit, Peter L. Higgins, the complexity of today's extended global enterprises requires a new governance lens to view hidden insider risks and to guide management executives to achieving a defensible standard of care.

"Our newest consulting practice accelerates the time line in identifying employee insider risks and potential threats associated with international client transactions," said Higgins. "Ms. Marcia Branco is launching our new client offering with more than a decade of experience identifying the complex connections between human behavior and corporate operational risk responsibility."

Advocating a "People First" approach, Ms. Branco, vice president, practice director of the Predictive Intelligence and Analytics practice, believes corporate personnel; partners and suppliers represent a tremendous asset and simultaneously a significant legal liability to a business. "People are the primary focal point to better understanding and resolving systemic risk problems within the walls of the enterprise and beyond to the extended supply-chain," said Branco.

The Association of Certified Fraud Examiners affirms "U.S. organizations lose an estimated seven percent of annual revenues to fraud," and insider negligence is the highest cause of data breaches, reports the Ponemon Institute & PGP Corporation. The complexity and quantity of insider threats is growing at the same time as businesses are facing shrinking budgets and mounting pressures to maintain and grow profits with fewer resources. "How successful has your company been at identifying and swiftly addressing issues, conflicts and preventing malfeasance? Whether originating internally from an employee or contractor or at your extended border of partners, suppliers and clients, predictive intelligence is essential?" asks Higgins.

1SecureAudit provides critical assessments, internal investigations, strategy execution and program development. These proactive governance and advisory services generate positive change to business culture, operations and bottom line.

"Our distinctive 'People First' approach examines your organization's human capital assets to gain unique insights on corporate culture, company issues and the workforce's attitude about management and business initiatives. We convert these human factor data into predictive intelligence to preemptively determine how to best shape current and new corporate strategies. Our clients are able to take advantage of short-lived opportunities, attract and retain employees, partners and customers, demonstrate a more defensible standard of care and promote a trustworthy corporate reputation," stated Branco. "Does your organization consistently adhere to and enforce corporate policies, ethical standards and procedures that value your employees and respond to shareholder advocates?"

Working with 1SecureAudit to integrate predictive intelligence in any business strategy and practices is a sound investment that directly contributes to corporate management's, Board of Directors', and shareholders' peace of mind. For more information, visit 1SecureAudit.com or e-mail RDU (at) 1SecureAudit.com.

operational risk

Predictive Intelligence: Data or Precogs...

The use of the term "Predictive Intelligence" has been around for a few years. Born from the marketing collateral of the Business Intel (BI) vendors. Essentially, get a whole bunch of GB's of historical data and then use some new tools to mine it for so called insight. The questions is, why is this predictive intelligence and not just more "Information."

Now introduce the nexus of "Human Factors". The unexplained behavior of people influenced by environment, interaction with other people or even the substances people put inside their body. Whether it's the coffee kicking in, the hangover from last nights Monday Night Football party or the latest argument with your spouse, it influences your perceptions on information.

Christian Bonilla may be on to something here:

Professionals in the foreign intelligence community take pains to distinguish between information and bona fide intelligence. Any piece of knowledge, no matter how trivial or irrelevant, is information. Intelligence, by contrast, is the subset of information valued for its relevance rather than simply its level of detail. That distinction is often lost in sector of the enterprise technology industry that is somewhat loosely referred to as Business Intelligence, or BI. This has become a bit of a catchall term for many different software applications and platforms that have widely different intended uses. I would argue that many BI tools that aggregate and organize a company’s information, such as transaction history or customer lists, more often provide information than intelligence. The lexicon is what it is, but calling something “intelligence” does not give it any more value. In order to sustainably outperform the competition, a company needs more than a meticulously organized and well-structured view of its history. Decision makers at all levels need a boost when making decisions amidst uncertainty and where many variables are exerting influence. They need what I would call predictive intelligence, or PI – the ability to narrow down the relevant variables for analysis and accurately measure their impact on the probability of a range of outcomes.

What does the fusion of human factors have to do with predictive intelligence? That depends on how much you value the kind of innuendo and messages in the Tom Cruise movie, Minority Report. Many aspects of the original Philip K. Dick story were adapted in its transition to film that was filmed in Washington, DC and Northern Virginia. Is it possible to predict someone's future behavior even before they commit a crime or become violent?

Set in the year 2054, where "Precrime", a specialized police department, apprehends criminals based on foreknowledge provided by three psychics called "precogs".

Cruise plays the role of John Anderton who is part of the experimental police force known as "Precrime." These aspects of clairvoyance and precognition has many skeptics and their use for predicting future events or a related term, presentiment, refers to information about future events which is said to be perceived as emotions.

Regardless of terms, beliefs or whether the software analytics are using historical data, the science of "Predictive Intelligence" is about forecasting the future. Based upon the recent global events that missed the forecast of economic implosion based upon historical data, maybe it's time to start introducing more human factors to the equation.

The interviews with people who have gone on record to predict a future historical event will probably be right at some point in time. How long will you be around to wait? The demise of General Motors and the extinction of Lehman Brothers, Bear Stearns and maybe even AIG were most likely predicted by someone, somewhere. The point is that you have to have context and relevance to the problem being solved or the question being asked.

Predictive analytics extracts information from data and attempts to forecast the future. It relies on capturing relationships between explanatory variables and the predicted variables from past occurrences, and exploiting it to predict future outcomes. Is it possible that there was and is too much reliance on the numbers and not enough on people's intuition?

This blog has documented the "11 Elements of Prediction" in the past. Now it's time to utilize the combination of these human factors in close collaboration with the data analytics and numbers. Effective execution of both will provide corporate management the situational awareness they seek within the time line they wish.

operational risk

Economic Impact: Proving the Truth...

The Madoff investigations into so called "feeder firms" are now gaining momentum. The question on who are the victims and where fraud is suspected continues it's due course. The process of client referrals is not a crime and allegations that correlate this with fraudulent behavior is a flawed mindset. The current basis in the Merkin case has more to do with non-disclosure of where clients money was actually invested:

Andrew Cuomo, the New York attorney general, yesterday filed civil fraud charges against the hedge fund manager Ezra Merkin, alleging he secretly channeled more than $2.4bn to Bernard Madoff's Ponzi scheme in exchange for lucrative fees.

The move is the second regulatory action in two weeks against one of the big so-called "feeder" funds that sent billions of dollars to Mr Madoff, who pleaded guilty to one of history's biggest investment frauds.

Mr Cuomo accused Mr Merkin, a leading figure in the New York charity community and former chairman of financing company GMAC, of steering money from charities, universities and non-profit organisations to Mr Madoff without their permission and reaping about $470m in fees for his three funds.

"Merkin duped individual investors, non-profits and charities into believing he was responsibly managing their investments, when in actuality he was dumping them into history's largest Ponzi scheme,'' Mr Cuomo claimed yesterday.

Operational Risk professionals in these hedge funds and other alternative investment firms are getting prepared. These organizations will continue to be under the regulatory spotlight for years to come. Fraud and the fear of fraud will make their potential clients even more diligent in their understanding of where their funds are being invested. The federal watchdogs, oversight mechanisms and civil law suits will require firms to have their risk management "Act" together.

When it comes time to prove the truth, whether innocent or guilty, it will come down to information. The likelihood that this information is housed in a database, e-mail system or off-site disaster recovery repository is almost certain. Digital information that is part of any inquiry for civil or criminal action is subject to the "Rules of Evidence" and the "Federal Rules of Civil Procedure." This is where most of the alternative investment firms have their greatest exposure and vulnerability today. Call it the "Readiness Factor".

In a groundbreaking case from the past year, Qualcomm Inc. v. Broadcom Corp., No. 05CV1958, 2008 WL 638108 (S.D. Calif. March 5, 2008), the court found the plaintiffs to have committed "monumental and intentional" discovery violations for failing to produce thousands of documents requested in discovery. The court cited the "impressive education and extensive experience" of Qualcomm's attorneys to justify significant sanctions for failure to produce relevant e-mails, including reporting to the State Bar of California.

The "Readiness Factor" goes far beyond the process or procedures for preserving evidence. It starts with the creation of information inside the organization. How is it classified, where is it stored and who has access to it? These are fundamental Information Technology and Records Management 101 questions that any prudent organization has already answered. Where most firms find themselves with their backs up against the "legal wall" has to do with relevance, authenticity, and admissibility of information.

The "Alternative Investment" industry is quickly learning that their own IT professionals are going to end up on the witness stand and in early depositions. They are going to be hearing questions such as:

• What policies or procedures do you manage in your department/organization?
• What training do you have on the collection and preservation of "Electronically Stored Information"?
• Explain your responsibility or supervision of access controls, folder management, indexing, purging controls and metadata?
• Describe the procedures your firm utilizes to identify the places, people (custodians) and quality of the data that has been preserved for this case?

The list continues and the IT professionals better be ready. Adversarial counsel will be digging deep to get after the key components of authenticity and spoilation issues. The unfavorable outcomes from a lack of readiness can produce an "Economic Factor" that far exceeds the cost of just finding and producing the information for e-Discovery.

The economic impact of proving the truth in any case can be significant. If you were a savvy and smart prosecuter, the cases that would filter to the top for scrutiny may very well be those firms that display the most "IT Immaturity." Getting some wins under your belt with some relevant case law could determine how fast future cases are settled far in advance of ever getting to trial.

For those "Alternative Investment" firms that are behind the 8 Ball, here is a good place to start your own discovery of the total cost of proving the truth. The E-Discovery Road Map.

operational risk

4GW: Irregular Warfare in the Homeland...

Why is the US House Armed Services Subcommittee holding a hearing soon that is entitled: "Terrorism, Unconventional Threats and Capability on Terrorism and the New Age of Irregular Warfare: Challenges and Opportunities"?

Here is one good reason:

Baitullah Mehsud, the leader of the Pakistani Taliban recently claimed responsibility for the deadly attack that took place at a police academy on Monday in Lahore, Pakistan. But that’s not all. According to Mehsud, the next attack is going to be much closer to home. In a phone interview with the Associated Press, Mehsud indicated that his terrorist organization was planning a devastating attack on Washington D.C. that would “amaze” the world. Heritage analyst James Phillips told Fox News:

It should be taken seriously because [Mehsud] has ordered the deaths of many Pakistanis and Afghans and has a close alliance with Al Qaeda. It’s not too much of a stretch to think he might be involved in an attack on the U.S. if he’s able to get his followers inside the United States. He’s a militant extremist whose threats cannot be ignored.

Though most Americans associate terrorist attacks with bombings, armed ground assaults can just as deadly and disruptive. The most dramatic recent example was the Terrorist attacks that took place in Mumbai, India last November, killing almost 200 people.

Ground assaults are not just a terrorist tactic that might happen over there. Over here, it has been less than two years since six terrorists were thwarted in their attempt to assault Fort Dix in New Jersey.

The 4GW (Fourth Generation Warfare) strategy is well over five years old. We are glad to see that one of the best on this topic will be at the Armed Services hearing on Capitol Hill. Let's hope John Robb gets an opportunity to outline the following:

Differences
Many of the methods used in 4GW aren't new and have robust historical precedent. However, there are important differences in how it is applied today. These include:

• Global -- modern technologies and economic integration enable global operations.
• Pervasive -- the decline of nation-state warfare has forced all open conflict into the 4GW mold.
• Granularity -- extremely small viable groups and variety of reasons for conflict.
• Vulnerability -- open societies and economies.
• Technology -- new technologies have dramatically increased the productivity of small groups of 4GW warriors.
• Media -- global media saturation makes possible an incredible level of manipulation.
• Networked -- new organizational types made possible by improvements in technology are much better at learning, surviving, and acting.

Corporations, Government Agencies and owners of strategic critical infrastructures owned by the private sector are continuing their vigilance in light of the 4GW emergence. More than ever the need for effective OSINT (Open Source Intelligence) gathering at the street level is imperative. Yet all the Humint and sensor based collection of data will not change the myopia of insight unless there is a rapid adoption of the new mantra: "Responsibility to Provide."

The "Responsibility to Provide" statement is rapidly replacing the old and ineffective rule of "Need to Know". Our adversaries realize that our "Need to Know" mentality is one of our greatest vulnerabilities and they will continue to exploit this weakness. Washington, DC is has just emerged from a period of coordination, cooperation and unprecedented effectiveness across legal, political and jurisdictional boundaries. The fact is that the 44th Presidential Inauguration bound together thousands of people across the country to keep our Nations Capital safe and secure in January. This mission was accomplished and the result has been ever so felt by those who were in the middle of the operational command centers, such as WRTAC, the Washington Regional Threat and Analysis Center.

WRTAC provides DC Metro partner agencies and local jurisdictions with a watch command, plus an Open Source Daily Brief of current news articles relating to terrorism, homeland security, critical incident response and public safety. The key factor here is "Relevance" on the ground level to your own community and the local assets needed to raise situational awareness.

If Baitullah Mehsud is telling the truth, then it is not so much a matter of "what" 4GW tactics will be utilized, it is a matter of "when."

operational risk

Unthinkable: Adapting in New World Disorder...

35 million electronic records of Personal Identifiable Information (PII) was exposed in 2008. Up 47% according to reports by the Identity Theft Resource Center (ITRC) compared to the previous year.

Will 2009 bring more data breaches, lost laptops and insider theft than 2008? You can bet on it and this is why CSO's, CPO's and General Counsels are getting their teams ready. When the enemy is increasing their attacks, utilizing new strategies and leveraging the existing base of compromised assets the picture is clear.

That suggests that many companies can significantly boost security and reduce their exposure by following basic and inexpensive measures. But even if your company has encryption in place (as Heartland did), don't rest too easy. "The sophistication and automation of financially motivated cybercrime is very steep today when compared with counter-efforts," says Ken Dunham, director of global response at iSight Partners, a provider of threat intelligence services. "Criminals are agile and able to outpace the rate of adoption of counter-technologies in the marketplace."

The motivation for cybercrime is even higher during economic hard times. A January report by iSight says that the economic decline in the United States and around the world will significantly increase the risk organizations face from employees who are laid off, fear being laid off, or face some form of personal financial trouble that may lead some to consider insider crime.

The insider remains a key focus for Operational Risk Management professionals because human behaviors are exaggerated during periods of stress, fear and uncertainty. This means that people who may not have any prior criminal history, have never considered doing something to jeopardize their reputations may now be up against a wall. When there is no exit and no way out, people do extraordinary things to get ahead, beat the odds and hedge their own risk portfolio of life. Study the women who have made decisions to strap on suicide vests or the dozens of "Mini Madoff's" yet to get their day in court. Both have similar attributes tied directly to human behavior.

In Joshua Cooper Ramo's new book "The Age of the Unthinkable", "Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system. "A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."

The key word in Ramo's writing is "Adapt". Being Adaptive. However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy fraud investigator on how she solved the case and you may hear just that, "I had a hunch." Talk with a Chief Privacy Officer in any Global 500 company and you might get them to admit they have a sense that their organization will be the target of a data breach incident in the coming year or two. The complexity of IT systems, data networks and the hundreds of laptops circling the globe with company executives is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern enterprise does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively. Once you realize that all of the controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

operational risk

Situational Awareness: Reality in ORM...

Situational Awareness has always been a key factor in effective Operational Risk Management and Real-Time Incident Command.

Situation awareness (SA) involves being aware of what is happening around you to understand how information, events, and your own actions will impact your goals and objectives, both now and in the near future. Lacking SA or having inadequate SA has been identified as one of the primary factors in accidents attributed to human error .

What you know and when you know it, can make the difference between life and death in the context of weather forecasting and the future Hurricane Katrina.

However, it can also provide you with the intelligence you need to save lives and avoid new risks as a more sudden and unpredicted threat unfolds. Whether it's the active shooter, disgruntled employee or a international hotel under siege, it should not matter. Let's take a minute and look at a sample time line on the Mumbai attacks in India last November 26th, 2008 from a situational report:

• Two terrorists have barricaded themselves in the Oberoi Hotel; 3 dead and 25 injured. 11/26/08 10:31 PST
• Terror strikes at 12 places in Mumbai. Up to 20 hostages held at Oberoi Hotel.
  11/26/08 11:57 PST
  
• Several British and American civilians among hostages at two hotels. Explosion reported at Taj Hotel. 11/26/08 13:59 PST
  
• Explosions and fire reported at Oberoi Hotel; clashes continue in multiple locations across Mumbai. 11/27/08 07:23 PST
  
• Indian elite commando chief is reporting that the Oberoi-Trident Hotel has been cleared of terrorist threat. 11/28/08 01:03 PST
  
• Counter-terrorism operations declared over; at least 195 killed in attacks. An investigation is underway. 11/29/08 16:06 PST

Look at the time stamps and the lag time between each one. The person writing these bullets for a "Flash" message to subscribers or people asking for text based updates was either not using all of the potential assets available to them, or they just did not think there was any relevance of the other information unfolding. This example of 1998 "Situational Awareness" reporting is not only dangerous, it's letting the "Grey Matter" get in the way.

The problem with most "Situational Awareness" capabilities is that the subject matter experts, commanders in the SOC/NOC, or the business CEO 2,000 miles away are letting the "interpreters" on the street in the heat of the crisis determine what is important.

The second issue and until now, is that the information is not "Real-Time". Let's solve this problem once and for all.

RealityVision™ software gives organizations something they have never had before: the ability in a crisis environment to instantly broadcast live video and other data from the scene that can be shared immediately with everyone who needs to see it, wherever they may be located and without any intervention on their part.

If you’re an individual who’s responsible for preventing or quickly resolving critical events that cannot be predicted, Reality Mobile enables you to quickly monitor and appraise situations remotely using continuous, live video, transmitted from field personnel using off-the-shelf devices and any commercially available network.

From terrorist threats to train derailments and traffic accidents, remote equipment malfunction and infrastructure damage, our RealityVision™ software puts you instantly in the know and in control. With RealityVision, you can now immediately create a shared perspective with all team members regardless of where they are around the world.

Your Operational Risk Management tool box is now up to date. Pay it forward.

operational risk

Compliance: Workplace Security, Ethics & Governance...

Bernie Madoff clones and the 11,000 other unregulated investment advisors across the US will be subjected to increased scrutiny in 2009 and beyond. The SEC, FINRA, US Treasury FINCEN, FBI and the tribe of banking regulators are all gearing up for audits, inspections and more granular forensic accounting examinations.

Fraud and the corruption of corporate America is hard to detect. Even more difficult when the watchdogs are too busy or without the resources to do the job effectively. Post Enron and the whole SOX wave of documentation, controls implementation and testing the Big Four Accounting firms were very busy.

The cases are among a series of recent alleged frauds at financial firms. While they have been handled differently, they have shined a light on loopholes in federal regulations, such as fragmented regulations governing brokers, investment advisers, auditors and other firms. And the cases have underscored obstacles facing authorities, including inadequate resources for detecting wrongdoing and difficulties in gaining access to foreign financial accounts.

"Reform is needed to close the existing regulatory gaps that expose investors to risk," said Richard Ketchum, chief executive of the Financial Industry Regulatory Authority, Wall Street's self-policing agency.

SEC Chairman Mary L. Schapiro is looking to work with lawmakers to overhaul the nation's financial regulatory system. This week, the SEC announced that it would partner with a government-funded research center to study ways to better assess the thousands of tips and complaints that come in each year. The House and Senate plan to consider legislation as early as late spring that would bring all financial activities under federal regulation. The details, however, aren't clear.

At the SEC, Schapiro plans a new focus on spotting fraud and other market manipulation early on. She plans to create a large team to seek out where abuses might be occurring. Then she plans to direct the SEC's limited examination staff toward those places. "We've got to be able to conduct risk assessment that allows us to understand where problems might arise and connect the dots between different problems in different places -- whether they're generated by different products, different firms or different trends in the economy," Schapiro said in a recent interview.

The internal threat to your institution by your own employees who may do you harm, intentionally or not is just a core factor in day to day Operational Risk Management. Where it gets more interesting to plaintiff lawyers is when there is a clear pattern of ignorance or just plain lack of resource allocation or funding to policing the organization. The even more vulnerable facet of the OPS Risk mosaic could be the supply chain of companies and people who represent the vital outsourced functions. How many mission critical components of running your business have you handed over to call centers, ISP and hosting companies, distribution and delivery, back office administration including accounting and payroll?

One of the key areas of due diligence long overlooked at these investment advisers is the supply chain of feeder firms. The alternative investment industry has it's reach into the accountants and tax advisory services for a good reason. They are the ones who prepare your tax returns. Their insight into your cash flow, ability to invest and necessity for potential hedging of tax liability gives them the opportunity to be great referral agents. How many times has your tax advisor recommended you go see a friend in the alternative investment industry?

Creating awareness among the ranks of corporate America that everyone is going to be under the magnifying glass won't change the motivators:

• Money
• Ideology
• Compromise
• Ego

Economic challenges inside the corporation or on the home front can increase exposure to heightened threats in the workplace. These include violence, fraud and product theft at a minimum. However, the greatest asset of value being attacked, stolen and sold to the highest bidder is information. Corporate espionage and good old fashioned competitive intelligence is a 21st century Operational Risk Managers nightmare.

Workplace Security, Ethics and Governance programs will continue to be a focus for auditors and inspector generals. A lack of evidence of effective and robust efforts to deter, detect, defend and document withing the confines of the institution could be a differentiator when it comes time for any sentencing guidelines to be considered.

§8B2.1. Effective Compliance and Ethics Program

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

operational risk

Future Risk: Citizen Soldiers Extinct...

It's not often that we see an editorial article that prompts us to get the scissors out of the drawer to cut it out of the Washington Post. This opinion by Matthew Bogdanos is worth some additional review from an Operational Risk perspective. He is a Colonel in the U.S. Marine Corps Reserves and an assistant district attorney for New York City.

"A nation largely founded on the citizen-soldier ideal finds itself, following Vietnam and the expulsion of recruiters from campuses, with the military and civilian worlds warily eyeing each other across a cultural no man's land. As budgets shrink future forces, veterans will be fewer and the chasm wider -- to our peril.

No one wants everyone to think and act alike. Diversity is a major source of our nation's strength. But this diminishing shared experience leaves us ill-prepared against global terrorism. As the British general Sir William Butler warned a century ago, "A nation that will insist upon drawing a broad line of demarcation between the fighting man and the thinking man is liable to find its fighting done by fools and its thinking done by cowards."

We will leave it up to the Operational Risk Managers of the globe whether to agree with Col. Bogdanos and his comments. What is our take away from his words about "Duties That Are Best Shared?" We think it's quite simple.

How can an "Operational Risk Manager" make effective decisions without having walked a few "clicks" in another persons boots? Effective decision support from the Incident Command Center is far more effective if the person making those decisions has relevant and first hand experience. Asking a new hired employee to take the week long orientation training without having done it yourself, is not only bad management, it's reckless governance of the organization.

Years ago after the invasion of Baghdad, this OPS Risk manager (Bogdanos) did what we do every day. He adapted, improvised and overcame risks in order to recover stolen artifacts from the museums. The investigation was successful because not only was he someone that had experienced what it was like to operate in a war zone, he also was a subject matter expert on much of what was recovered.

If you are going to be an effective risk manager, you have to train with your troops in the business unit or the base. You have to know first hand what you are talking about. Without these, "we risk a future without all of us working towards the same ends --whatever society decides those ends should be."
operational risk

CAG 17: Red Team ...

The Consensus Audit Guidelines (CAG) are now public and the 20 controls are vital to our enterprise business resilience. One stands out however that is not automated and requires a specific advance strategy. CAG: Critical Control 17: Red Team Exercises:

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they burrow deep and expand the number of systems over which they have control. Most organizations do not exercise their defenses so they are uncertain about its capabilities and unprepared for identifying and responding to attack.

This control goes beyond traditional penetration testing, which typically has the goal of identifying vulnerabilities and showing their business risks. Red Team Exercises are exercise in the traditional sense of military exercises where the three goals are improved readiness of the organization, better training for defensive practitioners, as well as inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.

We would like to emphasize the importance of this strategy execution beyond the IT and Information Systems within the organization. In any significant business disruption or "incident", whether it be the breach and theft of a database full of "Personal Identity Information" (PII) or the breach of a rear window of a corporate executives residence to initiate a kidnapping plot; the goal remains the same:

"Attackers use tools to exploit a vulnerability; to create an action on a target, that produces an unauthorized result to obtain their objective."

Think about it for a minute. Whether it be the online digital world or the offline physical environment your organization is operating in today; someone is probing and testing your vulnerabilities. The only possible way for you to discover them before your adversary is to continuously attack your own business and it's assets. And possibly most importantly, it must be done on a clandestine basis.

clandestine
1566, from L. clandestinus "secret, hidden," from clam "secretly," from base of celare "to hide"

What value can be gained from exercises or testing that is conducted with advance warning to your staff or team? Very little. To execute the "Red Cell" approach to effectively improve and to increase the resilience of your organization, the strategy execution must remain secret. Yes of course there will be people placed throughout the organization in key areas that know that the exercise or attack on the organization is a planned exercise. However, it is only for the safety and liability purposes along with the potential injection of simulations that increase the effectiveness of the vulnerability testing.

The CAG has 20 controls that are focused on Cyber Defense and 25% of these will require manual intervention, planning and effective oversight. Automated tools can only go so far to address the real goal of understanding human behavior during and after a "Real Incident" actually unfolds. In the context of using a Red Team exercise you must include the use of Gavin De Becker's "Elements of Prediction" with your employees and stakeholders.

1. Measurability - How measureable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the preincident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are compareable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This is how and where you extend your physical controls to the actual people who will make the difference before and during a critical incident in your enterprise.

operational risk

Oversight Risk: Evidence of Compliance...

In light of the tremendous announcements of corporate and financial malfeasance over the past few months, there is a "cramdown" in the works. The US Office of the Special Inspector General for the Troubled Relief Asset Program (SIGTARP) is gearing up.

The Office of the Special Inspector General for the Troubled Asset Relief Program ("SIGTARP") was established by the Emergency Economic Stabilization Act of 2008 ("EESA").

Under EESA, the Special Inspector General has the responsibility, among other things, to conduct, supervise and coordinate audits and investigations of the purchase, management and sale of assets under the Troubled Asset Relief Program ("TARP"). SIGTARP’s goal is to promote economic stability by assiduously protecting the interests of those who fund the TARP programs - i.e., the American taxpayers - by facilitating transparency in TARP programs.

Transparency and effective oversight in the TARP will be accomplished in coordination with other relevant oversight bodies, and by robust criminal and civil enforcement against those, whether inside or outside of Government, who waste, steal or abuse TARP funds.

The Special Inspector General, Neil M. Barofsky, was confirmed by the Senate on December 8, 2008, and was sworn into office on December 15, 2008.

As the new Stimulus Package works it's way to the local and state governments additional oversight will be placed on the bidding, procurement and contracting processes. Compliance with federal and state laws will become ever so vital as funds are applied under TARP in the mortgage markets and "shovel ready" projects are funded for maintenance and repair of critical infrastructures.

As the government ramps up to spend trillions of dollars to revive the economy, loopholes in federal law and a shortage of FBI agents assigned to investigate white-collar crime could lead to a big payday for perpetrators of mortgage fraud and other schemes.

That's the view of lawmakers who want to extend federal fraud laws to private mortgage companies that aren't regulated at the federal level, and provide $155 million a year to the U.S. Justice Department to triple the number of active mortgage-fraud task forces and help the FBI rebuild its white-collar investigation program.

So what should a Chief Compliance Office or Vice-President of Operational Risk Management at an institution be concerned with over the next few years? Get ready. First and foremost, the Board of Directors will be focused on "Corporate Governance Strategy Execution." Public institutions who have most recently taken on the role of becoming a more traditional bank in order to become eligible for government funds are most at risk. Some of these include traditional insurance companies and credit or charge card institutions. This is because they have not had the controls, staff and policy programs in place to effectively deal with all of the new banking regulations and compliance mechanisms the oversight agencies will be scrutinizing during their audits.

Securities and Exchange Commission Chairman Mary Schapiro plans to look into whether the boards of banks and other financial firms conducted effective oversight leading up to the financial crisis, according to SEC officials, part of efforts to intensify scrutiny of the top levels of management and give new powers to shareholders to shape boards.

As she examines what went wrong, Schapiro is also considering asking boards to disclose more about directors' backgrounds and skills, specifically how much they know about managing risk, said the officials,

As new sources of funding flow to the organizations for redistribution to consumers or small businesses the oversight process must be implemented up front. The human factors will play a tremendous role in how ethics are either applied consistently or are absent all together, in day to day operations. Boards of Directors will ensure that corporate management are injecting the correct amount of corporate governance and compliance management oversight to keep human behavior and red flags in check. Operational Risk Managers will be busy expanding their breadth and reach into the corporate enterprise for years to come.

operational risk

Executive Security: Personal Protection Specialist...

In the corporate Protective Security environment, the "Advance Work" will ensure your success or contribute to the embarrassment or injury of your client/principal. Professionals in Protective Security Detail's (PSD) realize that your site or lead advance agent can make or break the entire operational risk strategy for your proactive and preventive security measures.

Thinking like the DEVGRU attacker and possessing a "Red Cell" mentality is a valid approach for several aspects of the advance work necessary to ensure an effective "protective envelope". What ends up being the greatest threat to your operation may be technology itself. Too much reliance on new high tech tools such as "Google Maps" or even the Garmin GPS will create a vulnerability during the point in time when your principal says, let's change the itinerary or the location of the next meeting. A "15 Minute Map" comprised from a good old fashioned road atlas can be the low tech tool that saves lives and chaos.

21st Century Executive Security and modern day Personal Protection Specialist's (PPS) who understand the value of the "Advance" and apply it effectively will continue to keep their principal's safe and secure and with a high degree of professional client service. Corporations operating in countries where executives are required to visit critical infrastructure plants, manufacturing facilities or meet with government officials have been incorporating more protective intelligence and advance work for good reason. The global business environment is increasingly more volatile and subject to the political risks and subjective "Rule of Law" in many emerging economic countries.

Whether it is weapons in close range or a distance, explosive IED's or kidnapping plots, today's global and mobile executive is more at risk. Advance Work is the most important and critical aspect of the security operation. Site and route surveys, "eyes on" residences, airports and buildings including hotels, hospitals, police stations, restaurants and convention centers are a mandatory component of the advance operations.

Surveillance Detection (SD) remains a vital facet of the advance work including the ongoing SD as the Protective Security Detail agents run the operation. The Principal is potentially aware of such activity yet is shielded from any less than lethal imminent threats as the days agenda unfolds.

What may be more obvious is the PSD's use of "Coopers Colors:":

By using a well-practiced, concrete, formulaic train of thought, it prevents the hesitation normally experienced when one is under threat of attack or actual attack, and this is the purpose of the code, to prevent unnecessary hesitation, and to apply only that force which is necessary to defend yourself. The way Jeff Cooper explains it is:

White - relaxed and fairly oblivious of your surroundings, you should only be in this condition if you are at home or another secure setting behind locked doors.

Yellow - the state of not only constant awareness, but the constant recognition of possible threats. In this state, you are observant of your surroundings, allowing you to recognize threats if they present themselves.

Orange - in this state, you have recognized a potential threat, and are ready to defend yourself against this threat if necessary.

Red - you are actively defending yourself or others against a threat that has presented itself to you.

It's not just about general awareness, it's about positively identifying potential and actual threats as you go about your daily life. It's this threat identification and acquisition process that is so valuable, and that reduces your response time to those threats if they present themselves.

Executive Security and the Personal Protection Specialist (PPS) becomes an even more vital asset in the OPS Risk portfolio, where the Board of Director's has authorized significant premiums for an executive's kidnap and ransom (K & R) insurance. Why? Like many aspects of our society today regarding information privacy, one only wonders how information gets leaked from the confines of the corporate enterprise. Operational Risks to and from people in your organization exist everyday. Insuring against losses and protecting against loss events is imperative. Utilizing the correct strategy, tools and human assets to comprise the entire security envelope including the effective use of Protective Security Details can make all the difference in your organizations deterence factor.

operational risk

PII: Achieving a Defensible Standard of Care...

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. This incident is no different than other Operational Risk loss events to your global enterprise this year, such as occupational fraud or the settlement of a lawsuit. Correct?

This time however, the difference is that now your own employees or your customers are the victim. Their PII has been lost or stolen and your organization has been the safeguarding entity of that valuable data until now. Your response is vital and the way you legally and ethically behave is a significant risk factor in itself.

Your brand reputation in the marketplace is on the line and the potential churn in lost customers or employees is at stake. Like many post 9/11 companies, your crisis response protocol is already in place for incidents that require your senior executives and the establishment of an immediate Incident Response Team (IRT).

So why is lost or stolen PII such an important executive issue for any organization?

In privacy, PII is less restrictive than in Information security and one definition can be found in the EU directive 95/46/EC:^[1]

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

As your General Counsel and Chief Privacy Officer begin to assess the magnitude and breadth of your recent PII exposure, so too does the plaintiff lawyers. Now the clock starts ticking and each tick gets louder and louder, as different litigation strategies are discussed. In Board Rooms and judges court chambers across the United States, the Federal Rules of Civil Procedure (FRCP) and the admissibility of "Electronically Stored Information" (ESI) is being discussed as a legitimate component of evidence and it's relevance in the case.

What if you could now "Rewind" this scenario and find yourself in a "legal safe zone" to adequately prepare, prevent and even preempt a "Data Security Breach" in your organization. This "legal safe zone" is available today and is as close as your corporate executive conference room, with several "Subject Matter Experts" working side-by-side. It's a professional service solution from the data breach services leader, idexperts.

The "Achieving a Defensible Standard of Care" Readiness workshop in your organization begins with a two day facilitated process for discovery and convergence with your fellow company executives. You will be engaged in a proactive, preventive and preemptive tactical plan in preparation for the day of your next PII-involved Data Security Breach. Upon completion, this operational plan establishes the baseline framework for a complete team-based drill. This outcome will then test the readiness of your key stakeholders internally and external to the company. More importantly, it provides the strategic insight on what vulnerabilities still exist in your particular organizations approach to remediation and legal compliance.

Each year, despite security efforts, millions of personal records are compromised as a result of corporate and public-sector data breaches. Breach response costs - mandated notification, PR, call handling, credit monitoring and legal fees - can add up, yet traditional approaches don't fully mitigate the risk to your business or your customers.

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. The next one will be different.

operational risk

Vigilance: Human Factors of Complacency...

Two days from now, Washington, DC will be in the midst of a historic Presidential Inauguration and President Obama will be moving into his new house on Pennsylvania Avenue.

The day after, on January 21, 2009 our Operational Risk Managers from across the spectrum of government will be looking to set their respective agendas for the next four years. The outgoing administration is quickly getting their new offices set up with lobby shops and law firms to continue their power agendas. Some are headed to the private sector, to return to their roots in business.

Regardless of the complexity and the change factors associated with all of the political fan fare, there are still "Black Swan" risks to our economic and global vitality. These operational risks continue to interface with Homeland Security, the Department of Defense (DoD), Treasury, Justice, and the State Department priorities. It all exists with great anticipation.

The United States will continue it's quest to secure the homeland from foreign and domestic terrorism. She will defend our allies against the aggression by other rogue states or countries in political turmoil. She will work harder than ever before to help other nations rebuild or build the foundations for economic stability, democracy and the rule of law. So what has or will change in the next four years in the context of Operational Risk Management?

It's almost like the feeling when you lose a loved one, to some catastrophic event. Or hear the news from a co-worker that your boss is being indicted for some corporate financial malfeasance. There is a feeling of despair and uncertainty. The event and sudden impact brings on a form of decision paralysis. Everyone starts to question each other and there is a tremendous amount of finger pointing on what could have prevented or what caused the incident to occur.

What will change for Operational Risk and managing the current and yet to know "What If's" is that it can't be ignored any longer. In analyzing the 1-in-a-100-year event, people have to go far beyond the mathematical equations and start looking at human behavior. Operational Risk managers across our international governments and business will now realize that even the "Human Factors" in Operational Risk can't always be counted.


Writers Wilber and Smith from the Washington Post have this to say about a vital component of our continued national risk management vigilance:

"A special federal appeals court yesterday released a rare declassified opinion that backed the government's authority to intercept international phone conversations and e-mails from U.S. soil without a judicial warrant, even those involving Americans, if a significant purpose is to collect foreign intelligence.

The ruling, which was issued in August but not made public until now, responded to an unnamed telecommunications firm's complaint that the Bush administration in 2007 improperly demanded information on its clients, violating constitutional protections against unreasonable searches and seizures. The company complied with the demand while the case was pending.

In its opinion, a three-judge panel of the U.S. Foreign Intelligence Surveillance Court of Review ruled that national security interests outweighed the privacy rights of those targeted, affirming what amounts to a constitutional exception for matters involving government interests "of the highest order of magnitude."

Our greatest threat to national security or business and global economic welfare may well come down to the ability to mitigate complacency and a lack of vigilance. A high degree of complacent people, working in an environment of non-vigilance, could set the stage for those human factors to play a major role in exploiting our vulnerabilities as a business and a nation.

The weight of protecting our nation from economic tidal waves and well trained non-state actors is a tremendous responsibility. Operational Risk Management will continue to be a vital aspect of all the existing and new decision makers over the next four years. Becoming ever vigilant and eliminating complacency will keep us from falling victim to the risk of "Human Factors". Gods speed to the 44th Presidency!

operational risk

Managing the Business Risk of Fraud...

Operational Risk Management is in full swing at distressed institutions as the TARP funds continue to flow to these needy corporations. One thing is certain; you can expect increased oversight. The risk management mechanisms to determine how and where funds are being utilized will be the focus. Anti-fraud planning and investigative projects are on the radar of the Board of Directors and the Audit committee chair. The US government Anti-Fraud Task Force is gearing up:

Six more U.S. government agencies, including the Federal Reserve, will take part in a federal anti- fraud task force to strengthen its focus on uncovering mortgage and securities crimes.

Deputy Attorney General Mark Filip announced the expansion yesterday of the President's Corporate Fraud Task Force, which was formed in 2002. Joining the group are the Federal Housing Finance Agency, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Department of Housing and Urban Development and the Office of Inspector General for the financial industry rescue program approved last year by Congress.

"These new members reflect the breadth and depth of the mortgage crisis that we are now confronting and the urgency of the task before us," Filip said in a statement.

Current members of the task force include the heads of the Securities and Exchange Commission and the Commodity Futures Trading Commission.

Gil Soffer, associate deputy attorney general, said the task force expansion would let FBI officials coordinate with monitors of the Troubled Asset Relief Program.

"To be able to bring in our resources and to be able to tap into our expertise and to be able to work with our investigators and our prosecutors when there's criminal activity afoot, it's a tremendous boon" to TARP investigators, he said in an interview.

Congress passed the $700 billion TARP rescue package in October, and lawmakers have said oversight is needed to ensure the funds aren't misused.

The business of Fraud Risk Management has been spelled out for years and continues to be a high priority. Most Fortune 50 organizations have established sophisticated frameworks for addressing compliance, ethics and governance in their organizations. However, the question remains how well they understand their respective roles, responsibilities and jurisdictions. This organizational challenge is no different than the battle between the physical security and information security domains who are now converging. The ACFE, AICPA and the Institute of Internal Auditors have released their latest Practical Guide for Managing the Business Risk of Fraud. Here are the key principles:

Only through diligent and ongoing effort can an organization protect itself against significant acts of fraud. Key principles for proactively establishing an environment to effectively manage an organization’s fraud risk include:

• Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.
• Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.
• Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.
• Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
• Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.

Operational Risk Management issues still exist in Tier II organizations who have market caps below $1B. in assets and are more vulnerable. This is typically due to the lack of resources and extensive staff devoted to a an enterprise wide program that incorporates the mission from the Board of Directors and the "Tone-at-the-Top". 2009 will be busy and you can bet the General Counsel and CxO's will be burning the midnight oil.

operational risk

2009 Outlook: OPS Risk Top Priorities...

In light of the 2009 outlook and the fact that Operational Risk is now a much greater priority, here are vital areas to focus on for the New Year. As restructuring, downsizing, layoffs and overall corporate strategy and governance initiatives are kicked-off for the 2009 calendar year; here are the top priorities according to Peter L. Higgins, Managing Director of OPS Risk advisory firm 1SecureAudit.

"Operational Risk will continue to be a major focus for Boards of Directors in 2009 and for good reason. Governance Strategy Execution, Information and Records Management and Legal Risk are all in need of a critical review and a robust injection of new resources. We are at the beginning of a new "S" curve cycle on the down slope just as we saw in late 2001 post 9/11 and the "Dot Com" era, Higgins said."

"This requires a renewed and substantial commitment to keeping our code of practice guidance and implementation advice narrowly focused on several key areas of the corporate enterprise:"

• Organizational Security
• Information Security Infrastructure: Cooperation between organizations
• Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators shall be maintained.
• Asset classification and control
• Information Classification: Information labelling and handling
• A set of procedures shall be defined for information labelling and handling in accordance with the classification scheme adopted by the organization.
• Personnel Security
• Responding to security incidents and malfunctions: Reporting security weaknesses
• Users of information services shall be required to note and report any observed or suspected security weaknesses in, or threats to, systems or services.
• Communications and operations management
• Operational procedures and responsibilities: External facilities management
• Prior to using external facilities management services, the risks shall be identified and appropriate controls agreed with the contractor, and incorporated into a contract.
• Exchanges of information and software: Security of electronic mail
• A policy for the use of electronic mail shall be developed and controls put in place to reduce security risks created by electronic mail.
• Access Control
• Monitoring system access and use: Monitoring system use
• Procedures for monitoring the use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly.
• Business Continuity
• Aspects of Business Continuity Management: Testing, maintaining and re-assessing BCP
• Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that they are up to date and effective.
• Compliance
• Compliance with legal requirements: Collection of evidence
• Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.

Here are some of the top cases to review for OPS Risk lessons learned in 2008:

01/04/08 - Detroit: Eleven Indictments in International Illegal Spamming and Stock Fraud Scheme - Eleven individuals were indicted in a wide-ranging international fraud scheme which manipulated stock prices through illegal spam e-mail promotions.

02/15/08 - Washington: DOD Employee Arrested in Chinese Espionage Case - Gregg William Bergersen, a Weapons Systems Policy Analyst at the Defense Security Cooperation Agency, Department of Defense, was arrested for passing classified documents to the People’s Republic of China.

02/22/08 - Miami: Five Individuals Indicted for $200 Million Hedge Fund Fraud - Michael Lauer, founder of Lancer Group Hedge Fund, and four others were indicted on conspiracy and wire fraud charges in a $200 million hedge fund fraud.

02/29/08 - Houston: Chinese Chemist Indicted for Theft of Trade Secrets - Qinggui Zeng, aka Jensen Zeng, a legal permanent resident from China, was indicted and charged with theft of trade secrets and computer fraud.

03/14/08 - Cincinnati: Financial Enterprise Executives Found Guilty in $3 Billion Fraud Scheme - Five former executives of National Century Financial Enterprises were found guilty of conspiracy, fraud and money laundering in a $3 billion security fraud scheme.

05/16/08 - Washington: Guilty Plea in Espionage Charge Involving China - Tai Shen Kuo pled guilty to conspiracy to deliver national defense information to the People’s Republic of China.

06/20/08 - Operation Malicious Mortgage Nets 406 Individuals - Charges in Operation Malicious Mortgage, a nationwide takedown of mortgage fraud schemes which inflicted approximately $1 billion in losses, were brought in every region of the country.

10/17/08 - FBI Coordinates Global Effort to Nab “Dark Market” Cyber Criminals - A two year undercover operation, Dark Market, which joined forces with international law enforcement, resulted in 56 arrests and $70 million in economic loss prevention.

11/28/08 - Dallas: Holy Land Foundation and Leaders Convicted - The Holy Land Foundation of Relief and Development and five of its leaders were found guilty of illegally funneling at least $12 million to the Palestinian terrorist group, Hamas.

12/12/08 - Chicago: Illinois Governor Arrested - Governor Rod R. Blagojevich and his Chief of Staff John Harris were arrested on federal corruption charges including conspiring to trade or sell the Illinois’ Senate seat vacated by President-elect Barack Obama.

Beyond the Bernie Madoff fraud scheme that rocked the Hedge Fund universe the real systemic risks to deal with in 2009 will continue to be tied to the housing and mortgage sector:

• Recent statistics suggest that escalating foreclosures provide criminals with the opportunity to exploit and defraud vulnerable homeowners seeking financial guidance.
• Perpetrators are exploiting the home equity line of credit (HELOC) application process to conduct mortgage fraud, check fraud, and potentially money laundering-related activity.

The Operational Risks in corporate enterprises will be increasing as the economy adjusts and finds it's new equilibrium. Hang on for a wild ride in 2009!

operational risk

Security Governance: Siemens FCPA guilty plea...

One only has to look a few layers deep into the corporate hierarchy, to see the root cause of why Siemens AG violated the Foreign Corrupt Practices Act (FCPA).

At a hearing before U.S. District Judge Richard J. Leon in the District of Columbia, Siemens AG pleaded guilty to a two-count information charging criminal violations of the FCPA’s internal controls and books and records provisions. Siemens S.A.- Argentina (Siemens Argentina) pleaded guilty to a one-count information charging conspiracy to violate the books and records provisions of the FCPA. Siemens Bangladesh Limited (Siemens Bangladesh) and Siemens S.A. - Venezuela (Siemens Venezuela), each pleaded guilty to separate one-count informations charging conspiracy to violate the anti-bribery and books and records provisions of the FCPA. As part of the plea agreements, Siemens AG agreed to pay a $448.5 million fine; and Siemens Argentina, Bangladesh , and Venezuela each agreed to pay a $500,000 fine, for a combined total criminal fine of $450 million.

Where the compliance and ethics culture begins to break down in this example and others lies within the "Modus Operandi" of the "Deal Makers" themselves. The sales and marketing mechanisms that funded the budgets of front line managers to perpetuate the corruption are to be thoroughly examined. The competitive environment and the "wink and nod" of selling 101 at Siemens has brought them into the ranks of Enron, Worldcom, and other global transnational corporations soon to be announced for their misdeeds and corporate malfeasance. This NYT article by Siri Schubert and T. Christian Miller highlight the culture factors:

“Bribery was Siemens’s business model,” said Uwe Dolata, the spokesman for the association of federal criminal investigators in Germany. “Siemens had institutionalized corruption.”

Before 1999, bribes were deductible as business expenses under the German tax code, and paying off a foreign official was not a criminal offense. In such an environment, Siemens officials subscribed to a straightforward rule in pursuing business abroad, according to one former executive. They played by local rules.

Inside Siemens, bribes were referred to as “NA” — a German abbreviation for the phrase “nützliche Aufwendungen” which means “useful money.” Siemens bribed wherever executives felt the money was needed, paying off officials not only in countries known for government corruption, like Nigeria, but also in countries with reputations for transparency, like Norway, according to court records.

The line item utilized by business development executives at Siemens to secure business is not an exclusive there or in Germany. It is utilized by almost every major global corporation to obtain the opportunity to compete and to make the short list on major procurements. So how does the internal audit and operational risk professionals deal with the fact that money is budgeted each year for these kinds of activities?

Corporate Integrity Management and the ethics programs is a great place to start. This blog highlighted these in a previous post a few months ago:

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

• · Systems for monitoring and auditing
• · Incident response and reporting
• · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

operational risk

The "New Age" of Unreason...

In the new age of unreason, Charles Handy the author of The Age of Unreason would say that discontinuous change is upon us. He would say that we need to outsource everything that is not a core function of the enterprise. And he would say that learning is the same as change from a different worldview.

Adaptation in order to survive in the corporate world is nothing new. The risks associated with making new decisions depend on how that decision will impact the other persons, processes or systems in the enterprise. As a simple example, adapting a process for entering orders from the field sales force could have a dramatic effect on productivity and at the same time subject an enterprise to new found risks. How would your risk profile change if the following scenario took place at your business?

Sales reps are entering orders in the field via a web application that is protected by a user name and password. There is no VPN or encrypted connection. The application doesn't use SSL. The information on new customers includes name, address, phone number, credit card number, expiration date and the three or four digit security code. As the reps are entering their orders, the paper based sales forms are being put into a folder to be sent by Fedex to the home office. Each rep makes a copy for their files, to make sure that they have the right commission check at the end of the month. The VP of sales finds out that many of the orders are lacking the security code or that the consumer is giving them the wrong numbers. He asks for a change in the sales order process with the CFO in order to streamline the flow of orders and diminish the backlog. The CFO instructs the CIO to have her department change the business rules in the order entry system to eliminate the need for the security code in processing orders. Also, the lag time for the company hard copy to reach the accounting department is a problem and he asks for this step to be eliminated. Everything is completed and now the sales reps do not require this piece of information any longer to process an online sales order. Productivity increases and the backlog is eliminated.

What potential operational risks exist today with this particular business process?

1. The privacy of the customers personal identity and credit card information may be at risk if the sales rep is not securing the hard copies of the sales orders at their business office or home office.

2. The lack of the credit card security code could increase the number of fraudulent orders due to the high rate of identity theft with stolen credit card numbers with expiration dates.

3. The personal identifiable information being entered on each new customer could be compromised due the lack of controls on the network connection.

4. The privacy policy may not have been updated and amended to reflect the new business process and to document that a security code is not needed as of (date.)

The new age of unreason is certainly upon us because simple changes like this are taking place by the dozens, hundreds or thousands every day in the largest enterprises. Making changes is also about learning what those changes will mean to everything that interfaces with that change. It means that testing must take place in a lab or compartmentalized area of the business to insure that the change doesn't impact the core operations. It means observing performance and measuring the results to determine if the change is worth the new risks that the organization is about to encounter.

In the words of Charles Handy:

"Learning is not finding out what other people already know, but is solving our own problems for our own purposes, by questioning, thinking and testing until the solution is a new part of our lives."

"If changing is, as I have argued, only another word for learning, then the theories of learning will also be theories of changing. Those who are always learning are those who can ride the waves of change and who see a changing world as full of opportunities rather than damages. They are the ones most likely to be the survivors in a time of discontinuity."

operational risk

OPS Risk: Tsunami of Fraud...

Just when you think you have avoided the major risk of the credit crisis, HSBC may have been one of many banks exposed to the Bernard Madoff "tsunami of fraud".

Banks and investment funds across the world lined up on Monday to admit investing billions of dollars in the companies of Bernard Madoff, whom U.S. authorities accused of masterminding a massive fraud.

HSBC Holdings was the latest bank to join the growing list, saying it had exposure of around $1 billion (663 million pounds), making it one of the biggest victims of the alleged $50 billion fraud.

Royal Bank of Scotland and Man Group, Japan's Nomura and France's Natixis also said they were hit by the worldwide scandal.

Financial companies, reeling after a year of enormous writedowns on bad credit assets, have so far tallied up more than $10 billion in direct and indirect exposure to the possible fraud by Madoff, the 70-year old trader who was arrested on Thursday.

Last year, HSBC sold it's 42 story headquarters tower for $1.1B. to Metrovacesa in a smart strategy that has now been extinguished by the likes of a simple and yet enourmous ponzi scheme. A Ponzi is an investment fraud in which profits are promised to investors from fictitious sources. Sounds like a hedge fund. Early investors are paid off with funds raised from later ones. Is there any conservative institution that will be spared from the corporate malfeasance and corruption that has permeated our global systems of finance?

The SEC has issued the temporary restraining order for Madoff and his companies while this is drowning out the recent fraud allegations against Marc Dreier:

Dreier was arrested in Canada this month and charged with impersonating a lawyer for the Ontario Teachers Pension Plan. He was released on bail and arrested by U.S. authorities on his return to New York.

Dreier on Dec. 11 was ordered held in custody pending his trial after prosecutors told a federal magistrate that victims of a fraud that started in 2006 have lost $380 million.

If convicted of the securities fraud and wire fraud charges against him, Dreier faces as many as 20 years in prison on each count.

The U.S. Securities and Exchange Commission filed a civil suit against Dreier claiming he stole $38 million from an escrow account set up to hold money for the unsecured creditors of 360networks (USA) Inc., which the firm represented in bankruptcy court.

The movie moguls in Hollywood must be looking at these latest cases to determine if a screenplay might be a worth while endeavor. The hundreds of lawyers and other workers impacted by these two incidents alone, will no doubt bring out a few who were close enough to the two crooks to be able to provide technical consulting on the projects. The setting in the Hampton's or the Palm Beach Country club could even bring some real well known people into the movie picture itself.

Back in May 2008 this blog touched upon the legal ecosystem and the survival of the fittest. Fraud, like other crimes of opportunity, have three common attributes:

1. A growing supply of motivated offenders
2. The availability of prospective or ideal targets
3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

operational risk

Top 10 Mistakes: Board of Directors...

A few years ago, Randy Myers article in Corporate Board Member Magazine discussed a Top Ten List for the Board of Directors. In light of the current state of corporate performance, we would like to revisit the most common mistakes.

General Counsel to Directors: Your 10 Most Common Mistakes

The in-house lawyers think that you've got a lot to learn about risk, trust, and reward. And when there's trouble, you too often fail to follow the Boy Scout creed: Be Prepared. By Randy Myers

1. Not Asking Questions
2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options

And as Randy so clearly states: "Serving on a corporate board isn't easy. Avoiding these common mistakes should be."

We can't accept that No. 4 even is on this list. No. 2 and No. 3 is ever so common place. And No. 7 is not a surprise. But what continues to amaze even those professionals associated with consulting to the Board of Directors is No. 8.

The Chief Risk Officer (CRO) is the independent keeper of oversight in the corporate enterprise. Should any organization be the subject of an investigation by the SEC, FTC or any other government regulator, they need to look to the CRO. It's the job of any CRO to keep regulator awareness at a high level and to let the business be in charge of risk management. Whenever you see a CRO getting involved in managing the risks of the business, then the independence and clarity of oversight has been extinguished.

The General Counsel and the Chief Risk Officer must work hand-in-hand to follow the Boy Scout creed:

Be Prepared.

operational risk

ID Risk Management: Protective Intelligence Factors...

The root cause of the safety and security threat to corporate personnel and assets can be traced back to an identity of someone. It can be said that protective intelligence utilizing the proper Operational Risk Management framework will mitigate the impact of a successful attack. Whether the intelligence is based upon monitoring or proactive and preemptive factors to be alerted to any threat actors who wish to do us harm; you still have to have a valid identity of the "unsub."

Today as you walk into your employer, you may be happy that you are there. This is your sanctuary away from the threat at home. Your work place provides a potential "safe zone" for the next 8 to 10 hours until the work day is over and you have to return to an environment filled with physical and emotional violence. The growing workforce of women in today's corporations are faced with an increasing challenge to keep their jobs and to mask the problems on the home front.

Simultaneously, those who are the root cause of much of the domestic violence are also walking into the same corporation. Who would know that they are the same people that have never been convicted of a crime and yet are beating their wife or girl friend at home? The point is that in your corporate environment today you have a mix of both kinds of people that are the potential threats to your organizational security and safety. Workplace violence is an Operational Risk that requires a proactive protective intelligence mechanism operating on a 24/7 basis. The identities of your employees may be known upon hire, but their changing profiles over the course of their career could change dramatically. Let's illustrate the true picture with some real incidents.

The US Bureau of Labor Statistics has data on 5,488 workplace fatalities in the US in 2007. 610 were homicides, 491 of these were shootings. 22% of these homicides involved former employees yet 43% were current employees. The remaining incidents were committed by non-employees. Understanding the red flags on your current employees and those who have left the organization is the focus here. Your Operational Risk Framework should incorporate the processes, systems and tools to mitigate this relevant internal threat in the enterprise.

The implications of effective identity management go far beyond the operational risks associated with the work place. ID Management encompasses the following domains:

• Public Safety: Identity theft, cyber crime, computer crime, organized criminal groups, document fraud and sexual predator detection
• National Security: Cyber security and cyber defense, human trafficking and illegal immigration, terrorist tracking and financing
• Commerce: Mortgage fraud and other financial crimes, data breaches, e-commerce fraud, insider threats and health care fraud
• Individual Protection: Identity theft and fraud

The research and development community has been focused of late on the use of biometrics. For access controls and other ways to validate true identities; these tools and systems for authentication are vital. Yet the stolen identity to fraudulently obtain a drivers license, passport or visa comes back to our root cause issue. Dr. Gary Gordon and his team at CAIMR are on the right track:

Those challenges, aggravated by the rapid changes in our society, include identity theft and fraud, cyber crime, computer crime, travel and immigration document fraud, and data breaches. They impact individuals, public safety, commerce, government entitlement programs, and national security. As the concept of an identity (or entity) expands in the physical and digital worlds, determining if the person claiming an identity is really that person becomes critical to conducting business, providing access to services and systems, and tracking cyber criminals and terrorists. Responding to these challenges requires a collective effort by the key thought leaders from the public and private sectors, working in concert with academe.

The Center's mission is to conduct applied research in order to provide pragmatic outcomes, utilizing a multi-disciplined approach that draws on the expertise of its diverse members. The results will be specific and measurable, whether they are in the form of industry or law enforcement best practices, technologies, policy adjustments, or training and educational materials.

The Center's purpose is to convene key stakeholders and marshal their respective strengths to help solve very challenging societal problems. Our partners include organizations such as the United States Secret Service, the United States Marshals Service, LexisNexis, VISA, Cogent Systems, Indiana University, Intersections, Wells Fargo & Company, and Fair Isaac Corporation. Our government/law enforcement partners must adapt to quickly evolving identity fraud and cyber crimes. As such, they must understand current attack vectors and prepare for future ones. They need to become more proactive by improving investigations and enhancing training. Corporations are faced with many challenges, including increased fraud losses, compliance and regulatory oversight, and enhancing products and improving services to keep up with the rapidly changing environment. The academic research community is challenged with gaining access to key data sets, tight funding budgets, a limited ability to interact with corporate and government decision makers, and the need to infuse their curricula with cutting-edge research.

Establishing effective tripwires and situation awareness begins with people and may be augmented by technologies and software. CCTV, biometrics and other access controls can become the catalyst for a complacent environment and is no replacement for effective training, education and scenario exercises with personnel.

Protective Intelligence is the front line for early warning and proactive measures to interdict the loss of corporate assets. Having the correct combination of human and technology capabilities will create the most effective means for a myriad of incidents internal to the work place. Application of these these same measures of countersurveillance, monitoring of identities and the lawful use of systems will provide the red flags necessary to preempt incidents external to the institution. In the 21st century, "soft targets" in our critical infrastructure will continue to be exploited for their vulnerabilities:

India picked up intelligence in recent months that Pakistan-based terrorists were plotting attacks against Mumbai targets, an official said Tuesday, as the government demanded that Islamabad hand over suspected terrorists believed living in Pakistan.

A list of about 20 people — including India's most-wanted man — was submitted to Pakistan's high commissioner to India on Monday night, said India's foreign minister, Pranab Mukherjee.

India has already demanded Pakistan take "strong action" against those responsible for the attacks, and the U.S. has pressured Islamabad to cooperate in the investigation. America's chief diplomat, Secretary of State Condoleezza Rice, will visit India on Wednesday.

The Indian government faces widespread accusations of security and intelligence failures after suspected Muslim militants carried out a three-day attack across India's financial capital, killing 172 people and wounding 239.

operational risk

QFD: The End of Compliance...

Corporations will continue to be responsible for the criminal behavior and actions of their employees, 3rd party suppliers and other contractors for at least the near term. In a case that has the defense legal eagles and "Usual Suspects" arguing against the corporate liability issue, the intent is getting cloudy or is it crystal clear?

But in a case now pending before the 2nd U.S. Circuit Court of Appeals, United States v. Ionia Management SA, the defendant corporation, as well as a diverse group of business and legal organizations acting as amici curiae, are asking the court to re-examine what had previously been accepted as black-letter law regarding when a corporation may properly be held vicariously liable for the acts of its employees.

While the defense bar has successfully battled some of the U.S. Justice Department's specific tactics in corporate criminal investigations (such as pressuring companies to waive attorney-client privilege or deny payment of employees' legal fees), this is the first significant direct challenge in recent years to the long-standing doctrine of corporate criminal liability. Their arguments, if accepted by the court, could have far-reaching consequences for the balance of power between the government and the targets of corporate criminal investigations.

Even if the corporate compliance programs are in full force and the financial integrity unit is robust in it's efforts, the "Operational Risk" still exists for litigation. How the cases settle or end up in deferred prosecution deals is another subject. Andrew Weissmann is in the precarious position of having been on the other side of the court room during the Enron trial. Now after having moved to the defense he is feeling the size of the governments powerbase.

Mr. Weissmann, 50 years old, says he noticed the "glitch" in the law four years ago as a prosecutor when he helped put together deferred-prosecution agreements of Merrill Lynch & Co. and Canadian Imperial Bank of Commerce for their conduct in connection with the Enron collapse. It struck him that the standard for criminal liability might be too low for "companies that work hard to create compliance programs" and yet are still on the hook, he says.

Regardless of the amount of awareness building, education and corporate window dressing you can't ultimately control human behavior. More compliance enforcement and regulatory pressure may seem to be the answer. A voluntary effort to shore up security, soundness and the opportunity for malfeasance in the work place may not be working effectively. And still the liabilities exist from the plaintiffs and government adversaries to gain compensation. So what is the answer?

The answer lies in the "Enterprise Architecture" of our institutions and the failure to implement the process of "Quality Function Deployment" (QFD). This has been ignored by senior executives and US business because many judge it to be too complex. One only has to look at the state of our automobile manufacturers versus the likes of Japanese companies to get a sense of the success of incorporating QFD on a comprehensive basis. But now apply this to the culture of an organization and how each individual makes logical business decisions instead of emotion-based decisions.

What many liability issues begin with are the employee(s) who made a bad decision. QFD in its simplest form is a tool to promote communications. Among peers and connected teams within the organization it provides the methodology to catch errors, omissions and emotional bias early in the process. As an example, let's take the Request for Proposal (RFP). Many companies depend heavily on winning business by responding to RFP's. A "deal makers" perception of importance to the RFP determines the effort for the response. Many times, this is influenced by an incentive plan. The human behavior to accept or decline the effort on an RFP as well as what it takes to push it through the organization for executive sign offs, is not always compatible with the strategic and quality measures of the enterprise.

Over time this will form an unimaginable amount of moral decay within a company. This leads to bad behavior and unethical decisions that people make because the business enviroment has rewarded it for far too long. So who is to blame here? The employee or the culture and company that has condoned and encouraged the behavior that ultimately damaged someone or something.

Implementing QFD in your information-based enterprise could have a dramatic impact on achieving a defensible standard of care by reducing the likelihood of catastrophic emotional decisions. More importantly, QFD programs such as this that are directly reducing the likelihood of bad employee behavior and criminal incidents, can reduce the necessity for invasive compliance programs that most everyone wants to ignore.

operational risk

Virtual Truth: False Information Risk...

How does "False Information" impact the risk to your organization? Decisions based upon faulty or inaccurate information is the root of many of the systemic failures of catastrophic history. The Titanic, Challenger Shuttle and Three Mile Island nuclear incident can all be attributed to the integrity of vital information.

Fast forward to the financial crisis and the past decade of consumer credit expansion strategies. What data have you been collecting from US consumers or clients about their personal identifiable information attributes? The Information Age has drawn us into a more dangerous business operating environment as these digital assets have become another commodity to be sold in an international market place, to the highest bidder. Are you ready when the federal "Suits" or the local LEO's (Law Enforcement Officer) knock on your door in pursuit of the truth:

The Fair Credit Reporting Act (FCRA) spells out rights for victims of identity theft, as well as responsibilities for businesses. Identity theft victims are entitled to ask businesses for a copy of transaction records — such as applications for credit — relating to the theft of their identity. Indeed, victims can authorize law enforcement officers to get the records or ask that the business send a copy of the records directly to a law enforcement officer. The businesses covered by the law must provide copies of these records, free of charge, within 30 days of receiving the request for them in writing. This means that the law enforcement officials who ask for these records in writing may get them from your business without a subpoena, as long as they have the victim’s authorization.

The financial integrity of your future as a business and as a consumer is at stake. Christopher Burns brings this to light in a dramatic fashion in his new book; Deadly Decisions:

"First, it is often extremely difficult to validate, corroborate, or verify the information we are dealing with, except by comparing it to the other information we are dealing with. And often the whole system is contaminated by misunderstanding, bad data and false assumptions that are hard to spot. The truth test rarely works. And second, the real issue of truth is not whether you or I should believe this or that, it is what we believe together. The truth that matters is group truth, and where we get into trouble is when a whole organization--a company, a community, a nation--starts to act on information that has been gathered from many sources and processed by many people but has come to contain significant elements that are false."

Beyond "Red Flags" imposed on business, the LEO community is starting to acquire what it needs for more effective deterence and enforcement mechanisms. The ID Theft Enforcement and Restitution Act of 2008 is providing prosecuters with the tools to address cyber extortion schemes such as the Express Scripts Case:

Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.

The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

Now the clients themselves are receiving extortion demands directly from the criminal elements behind this latest critical incident. Express Scripts has hired a new Senior Compliance Counsel to start December 1 and one of the Board of Directors has tapped a unit of his former company to provide ID Theft professional services. It looks like they are heading in the right direction.

Trusted Information is at the core of current global trading, business transactions and the fabric of our own personal identities. False information and knowledge is what creates operational risk factors that can change a whole company or the integrity of a whole nation. Systems that comprise vast databases of "so called" trusted information are at our fingertips being utilized to make coherent and effective decisions. Yet what may be the more catostrophic Operational Risk beyond the simple stealing of information is the potential opportunity for the destruction of vital information.

The vulnerability of our institutions and the critical infrastructure of the United States economy is ever more at risk of a systemic loss. While our stolen data will continue to be sold to the highest bidder on a global platform for trading, the 4GW "Non-State" actors will change their modus operandi. This is a given.

Trusted Information systems that have certified integrity and the oversight controls to ensure the highest level of virtual truth is the "Holy Grail." The degree to which these same systems include false knowledge is our most complex problem for business and government in the next decade.

operational risk

General Counsel: OPS Risk Priorities...

As General Counsel are you keeping up with the latest technology being deployed in your enterprise? Do any of your employees use Twitter? What about your "Generation Y" and the use of P2P file sharing programs. Does your CxO in charge of Safety, Security, Investigations and Corporate Integrity have the latest report on employee violations of your Information Assurance and Acceptable Use policies?

Unknown to corporate America, the popular peer-to-peer file-sharing networks that allow music and movies to be shared could be sharing something else with the public: company secrets and personal data.

Management-side lawyers are sounding alarms to their corporate clients, warning that peer-to-peer networks are increasingly becoming a gateway for trade secrets, confidential financial information and personal data.

The economy is continually downsizing and employees are now being sent home to work in "Virtual Mode" and Operational Risk loss events are matastasizing. Corporate Counsel and CxO's must provide thorough due diligence, security awareness training and effective annual audits of employees who work from home or may be perpetual "Road Warriors" hopping the globe from hotel to hotel. Why?

In 2007, Citigroup Inc.'s ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when a business analyst signed up to use a P2P file-sharing service on a home computer containing the personal information.

If you are a General Counsel and your organization is authorizing the use of encryption on laptops or other personal social networking sites or systems, it's imperative to pay attention to their application. The use of encryption for data security can be utilized to keep the data secure in the event of a breach or a lost digital asset. It can also be used to cloak fraudulent or criminal activities:

In an expanding probe of investment giant UBS, the Justice Department on Wednesday announced the indictment of the Swiss bank's chairman of global wealth management, accusing him of playing a key role in a tax evasion scheme to shelter secret U.S. account holders from income tax bills and drive up bank revenue.

Raoul Weil, who oversaw the Swiss bank's cross-border private banking business serving 20,000 U.S. clients, helped conceal a combined $20 billion in assets from the Internal Revenue Service, the indictment charged.

"Prosecutors said the executives and managers used nominee entities, encrypted laptops, numbered accounts and other counter-surveillance techniques to conceal their U.S. clients and offshore assets."

"If the company policy is written correctly, employees have no privacy interest in any materials created or accessed on company computers. With such a policy in place, an employer generally can review with impunity an employee's activities on the company's computer system."

Whether information is discoverable is going to be a different matter. A careful review of most social networking sites privacy policies will most likely reveal that posted information is not private, therefore discoverable. Therefore, effective legal and IT security awareness programs and education is essential in any enterprise where employees are working remotely.

The modern day General Counsel must rely on the Chief Privacy Officer working diligently with the Chief Security officer and the Chief Compliance Officer to mitigate Legal Risk. The convergence of these responsibilities lies more on the Chief Operational Risk Officer to see that all parties are synchronous in their strategies and efforts. They may be the best person to insure the entire spectrum of operational risks are being thoroughly addressed.

operational risk

AML: Transnational eCrime Ecosystem...

The Operational Risk threat matrix from "Advance Fee Fraud", "Nigerian Letter (419) Fraud, Foreign Lottery/Sweepstakes Fraud and "Overpayment Fraud" is still growing exponentially. During our current economic crisis, the spike in these consumer Mass Marketing schemes is to be expected. Global Anti-Money Laundering (AML) operations are in high gear at home and abroad.

The "Transnational Economic Crime Ecosystem" is thriving and the major phases of the environment continue to be a major challenge for global financial institutions and law enforcement:

1. Collection
2. Monetization
3. Laundering

Let's take a closer look at "Overpayment Fraud":

Overpayment Fraud - Victims who have advertised some item for sale are contacted by buyers who remit counterfeit instruments, in excess of the purchase price, for payment. The victims are told to cash the payments, deduct any expenses, and return or forward the excess funds to an individual identified by the buyer, only to discover they must reimburse their financial institution for cashing a counterfeit instrument.

The predominantly transnational nature of the mass marketing fraud crime problem presents significant impediments to effective investigation by any single agency or national jurisdiction. Typically, victims will reside in one or more countries, perpetrators will operate from another and the financial/money services infrastructure of numerous additional countries utilized for the rapid movement and laundering of funds. For these reasons, the FBI is uniquely positioned to assist in the investigation of these frauds through its network of Legal Attache offices located in over 60 U.S. embassies around the world. By leveraging its global presence and network of liaison contacts, the FBI has successfully cooperated with other domestic and foreign law enforcement agencies to combat, disrupt, and dismantle international mass marketing fraud groups.

Despite the best inter-agency enforcement efforts to combat mass farketing fraud, the FBI remains cognizant of the fact that the only enduring remedy for this crime problem lies in consumer education and fraud prevention programs. Towards this end, the FBI has not only produced its own mass marketing fraud prevention pamphlet but coordinates on other public information efforts with the DOJ, FTC, and the USPIS. The FBI also supports a consumer fraud prevention website in conjunction with the USPIS which can be located on the web at: http://www.lookstoogoodtobetrue.gov.

While the number of Mass Marketing Fraud cases has declined over the past few years, the number of new money laundering cases has risen to over 500 in FY 2007 alone. This is to some degree as a result of the cooperation being given to law enforcement by the financial instituions themselves. And for good reason. There is a new sheriff in town.

(Reuters) - A U.S. tax investigation into UBS AG (UBSN.VX: Quote, Profile, Research, Stock Buzz) is concentrating on senior and midlevel executives and bankers, and could result in one or more indictments, the New York Times said, citing people briefed on the matter.

Investigators are sifting through more than 70 names and related account details of American clients provided by UBS over the last few months to the Justice Department, which has passed the details to the Internal Revenue Service for further scrutiny, the paper said.

The Justice Department and the IRS plan to build both civil and criminal tax-evasion cases against some of the clients, the people told the paper.

The U.S. tax investigation risks compounding damage to UBS's reputation at a time it has been forced to make bigger writedowns than any other European bank in the credit crisis.

The U.S. Department of Justice is investigating UBS over offshore services provided to U.S. clients from 2000 to 2007 to find out whether UBS helped wealthy Americans dodge taxes. The Swiss bank was singled out by U.S. President-elect Barack Obama as one of the banks who helped "tax cheats." It decided earlier this year to stop offering offshore Swiss bank accounts to U.S. citizens.

Yet the collection phase of mass marketing fraud is not about "70" or a "100" UBS clients who are trying to cheat on their taxes. It is still about the millions of phishing and spam messages that circle the digital globe in search of their targets or prey. These illusive criminal organizations behind this organized cybercrime wave are continually exploiting the vulnerabilities of our financial institutions and our own human behavior.

"Merchandise Mules" are being recruited by the hundreds if not thousands to reship goods outside North America. These criminals are utilizing stolen identities and credit cards to purchase goods on eCommerce sites and eBay and then requesting to ship the goods overseas. Unfortunately, those who are elderly or even just down on their economic luck fall victim to this tremendous economic crime tsunami:

Much of the modern organized crimes are very similar to the old. The most significant transformation from the streets to cyberspace has enlarged the territory of individuals and organized groups.

Enabled by the Internet, criminals can operate in cyberspace where less governance, a transnational stage, and a multitude of transactions to monitor complicate surveillance and enforcement. From counterfeiting drugs and software to identity theft and credit-card fraud, illegal transactions are increasingly infiltrating legitimate businesses where counterfeited goods and money laundering are buried in the billions of legitimate computer transactions made daily around the globe.

Counterfeited products are rising through global distribution via Internet sites. According to the World Health Organization, 50 percent of the medicines sold online are counterfeit.

The expanse of international criminal activity has been followed with an increase in prosecution through cooperating international law enforcement agencies willing to join the fight against globalized crime.

operational risk

Travel Risk: Adaptive Survival Instruction...

Travel risk to corporate executives is on the rise. Even if you are not an executive who can afford the services of personal body guards and armored cars, there are some prudent ways to mitigate the risk of traveling to the global hot spots.

The Mission

Travel safety is becoming more of a main stream issue with savvy operational risk managers. In fact, the likes of some new firms are emerging by former FBI or other law enforcement heavy weights. The fact is, most of these so called travel safety courses are being taught from only one side of the equation.

In a world of global commerce, CSOs are often tasked with building their company's corporate travel safety programs. The job calls for a proactive approach to educate employees about precautions they can take to stay safe, whether they're the CEOs of multibillion-dollar conglomerates who fly on company jets that land on secured tarmacs or rank-and-file staff riding in commercial airline coach.

The Take-Away

Business has to be done in some of the most dangerous places on the planet, even when it comes to being exposed to kidnapping, terrorism and corrupt governments. Our advice is to make sure your instructor transfers skills to people on "how" to detect, deter and defend against the attackers. Not just the "What to do".

The how is not easy to teach unless you have been there and experienced it. One of the reasons why most CEO's are "Age Experienced" is that it takes time to acquire enough leadership lessons. It does not happen in a week or a month or even a few years. Learning the skills to survive in strange cities, cultures and countries requires instruction by age experienced and "Quiet Professionals". Much of this instruction is about training people to be "Adaptive."

Personnel threat management is a prudent risk mitigation solution. This combination is one key strategy to reduce the operational risks associated with key personnel in your organization. Individuals whose occupations place them at risk may include people with access to valuable proprietary information or holders of high level security clearances, the wealthy and those responsible for their safety.

Comprehensive "Adaptive Survival Instruction" for international business executives is a primary mission for OPS Risk leadership because it saves lives.

operational risk

Reputation Risk: Organizational Stewardship Revisited...

Reputation risk is becoming more of a topic of discussion these days. The loss of reputation results in several outcomes both economic and personal. The fact is that most of the time organizations are "Reacting" to a crisis, news leak or some other corporate failure.

You don't have to name names of people or companies to understand the impact that reputation has on the success or demise of an organization. What has to change to lower the severity and likelihood of loss events associated with "Reputation"?

First you have to ask yourself a couple of key questions:

1. What is your reputation worth?
2. Are you being Proactive or Reactive in managing and safeguarding your reputation?

The PR and marketing communications processes in your organization may have certain facets of the solution to better reputation risk management. However, these processes are designed with out the consciousness of proactive threat anticipation, detection, prevention and remediation.

What has become more clear to executives in proactive oriented companies is the requirement for a specific and strategic approach to Reputation Risk Management. This approach encompasses an emerging theme from the early nineties pioneered by author Peter Block. We call it Organizational Stewardship.

Organizational Stewardship as a core guiding principle is the cornerstone in managing an institutional reputation risk management process. It has three components that support this rekindled idea of applying the concepts of stewardship to the organization:

• Economic Accountability
• Information Management
• Business Integrity

Reputation Risk Management is about the proactive monitoring and management of a portfolio of threats in the organization. Several categories include:

1. Intellectual Property and Information Assets
2. Demonstrations, planned boycotts and social activism
3. Physical infrastructure including employees and suppliers
4. Legal threats including class actions, insider trading or whistle-blowers

Microsoft closed its free Internet chat rooms in 28 countries several years ago because of threats from pedophiles and junk e-mailers. This is an example of proactive reputation risk management. Unfortunately, this has opened the door to another related threat of hackers hijacking Instant Messaging (IM) accounts.

Although Microsoft contends that IM is safer than the chat rooms it is already known that both AOL and MSN messenger systems are already being exploited with malicious code and worms that can potentially expose organizations to additional digital risks.

Organizational Stewardship is a guiding principle. Once it is embedded into the organization it begins to permeate the mindsets of the individuals who are responsible for the conscious reputation risk management processes. Over time, these individuals help influence the corporate mindset, philosophy and ethics to a new found level.

Someday soon the executives in the board room will realize that managing reputation is not about keeping secrets and fighting fires. They will realize that they need to find a proactive, preventive and relevant strategy for achieving Organizational Stewardship in their company.

operational risk

EESA: Oversight & Legal Filings...

What is on the mind of GCs in the United States and United Kingdom? What are they saying about the costs of litigation, labor and employment, the financial/subprime crisis, regulatory investigations and FCPA, e-discovery preparedness and patent infringement claims. A Fulbright & Jaworski 5th year survey, gets the answers from 350 senior-level executives.

Lawsuit fears also vary across the United States: California companies have qualms about employment cases; Northeastern companies worry about environmental cases; and Southern companies expressed concerned about class actions and products liability lawsuits.

The survey responses indicate that lawsuits filings ultimately vary by industry.

During the past year, two-thirds of insurance companies reported at least six new lawsuits, followed by 55 percent of retail companies.

Manufacturing companies were the third most sued industry, with 54 percent facing six new claims. Health care providers followed closely behind with 52 percent reporting a half dozen new cases.

Two industries were far less likely to face multiple lawsuits in one year.

Thirty-seven percent of financial services companies reported six new lawsuits compared with 30 percent of technology firms.

Somehow we think the financial services companies are going to see a large spike in the next nine months. The SOX cases will be tested and there will be a few that won't get settled. The outcomes will set the precedence for Corporate Governance related suits for years to come.

Keep on "eye" on this one. Part of the new EESA legislation will have some kind of IG and oversight. This will be keeping the legal teams busy:

7) Compliance: The law establishes important oversight and compliance structures, including establishing an Oversight Board, on-site participation of the General Accounting Office and the creation of a Special Inspector General, with thorough reporting requirements. We welcome this oversight and have a team focused on making sure we get it right.

The Special Inspector General's purpose is to monitor, audit and investigate the activities of the Treasury in the administration of the program, and report findings to Congress every quarter.

The "TARP" Inspector will have their hands full and since they are appointed by the President, you can be sure that they will not be too partisan.

operational risk

Ethics: Management 101 to the rescue...

A few years ago there was an anonymous posting on CSO Online about "Doing the Right Thing". It could only be about the rules and policies set down by the ethics committee. Right?

"Directors and executives now must take an active leadership role for the content and operation of compliance and ethics programs," the U.S. Sentencing Commission's statement reads in part. "Companies that seek reduced criminal fines now must demonstrate that they have identified areas of risk where criminal violations may occur, trained high-level officials as well as employees in relevant legal standards and obligations, and given their compliance officers sufficient authority and resources to carry out their responsibilities."

The commission notably adds: "If companies hope to mitigate criminal fines and penalties, they must also promote an organizational culture that encourages a commitment to compliance with the law and ethical conduct by exercising due diligence in meeting the criteria."

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

• · Systems for monitoring and auditing
• · Incident response and reporting
• · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Here lies the question many Board of Directors are scratching their heads about these days. How can we avoid these ethical and legal dilemmas and how can they be addressed without creating a state of fear and panic?

That’s when we really learned that this game of business is just about the human factors. It’s really not about the controls, the monitoring or even the awareness programs. It’s about being a model manager, and a model human being.

The odds are it will be the human factors that are going to be what gets you on the steps of the local federal building. And it all comes back to good old-fashioned management 101.

As indicated, the great manager can impact the lives of tens or hundreds of people in your company. Conversely, the uncivil manager can wreak havoc with a similar numbers of lives. The position of management is ever so powerful to influence those around them.

Your company wide compliance initiative has the elements that provide guidance for creating a program that the government is likely to look favorably upon. The problem is that these same criteria inadvertently communicate the message that implies building a program based on this formula is enough. It isn’t.

operational risk

Homeland Security: The Risk of Fusion Man...

Modern Day Operational Risk Management, requires a multi-skilled and versatile individual. Someone who understands the difference between "Information Warfare" and "Cyberterrorism." And if you were born after 1980 and part of Generation Y, then you might even have more insight on how Sam Fisher has managed his way through unimaginable risks throughout his career as a Splinter Cell operative. You understand why Homeland Security is evermore focused on HUMINT and our national security is ever so vulnerable to an increasing reliance on the Internet Protocol (IP).

Information warfare is an attack against computers, networks, or information systems to coerce or intimidate a government and its people. These attacks result in violence against people or property and generate fear. Attacks that disrupt nonessential services or create a costly nuisance are not considered information warfare. Cyberterrorism results in severe effects such as death, bodily injury, explosions, plane crashes, water contamination, severe economic loss, and so on.

Information warfare is easily and most effectively waged against civilians. Because of its size and reliance on technology, no nation is as vulnerable to information warfare as the United States. Information warfare can be waged anonymously, or with all the publicity in the world.

If were born before 1960 and you fall into the "Baby Boomer" category, you better spend some time with your "Generation Y" kids or nieces or nephews, if you want to better understand what is now coming over the threat horizon. There have been published reports of Global Hawks and Predators seeking out their targets with skilled aviators located thousands of miles away. These tools and systems of warfare are easily turned in our own direction and now Homeland Security finds it nexus with some new Operational Risk challenges. Accomplished authors such as P.W. Singer writes about "What happens when science fiction becomes battlefield reality"?

If issues like these sound like science fiction, that’s because many of the new technologies were actually inspired by some of the great sci-fi of our time ­ from Terminator and Star Trek to the works of Asimov and Heinlein. In fact, Singer reveals how the people who develop new technologies consciously draw on such sci-fiction when pitching them to the Pentagon, and he even introduces the sci-fi authors who quietly consult for the military.

But, whatever its origins, our new machines will profoundly alter warfare, from the frontlines to the home front. When planes can be flown into battle from an office 10,000 miles away (or even fly themselves, like the newest models), the experiences of war and the very profile of a warrior change dramatically. Singer draws from historical precedent and the latest Pentagon research to argue that wars will become easier to start, that the traditional moral and psychological barriers to killing will fall, and that the “warrior ethos” ­ the code of honor and loyalty which unites soldiers ­ will erode.

Homeland Security professionals and new recruits to the various public and private sector organizations are ever more savvy and vital to managing the risks of the coming decades. Technology and the newest inventions of the human mind are consistently applied for the purpose of good and the well being of our fellow man. We are consistently pushing the outside of the envelope to fly farther and faster, even if it means becoming a "Fusion Man."

Swiss adventurer Yves Rossy flew from France to Britain Friday propelled by a jetpack strapped to his back -- the first person to cross the English Channnel in such a way.

Rossy, a pilot who normally flies an Airbus airliner, crossed the 22 miles between Calais and Dover at speeds of up to 120 mph in 13 minutes, his spokesman said.

When the white cliffs of Dover came into view, he opened a blue and yellow parachute and drifted down in light winds to land in a British field where he was mobbed by well-wishers.

"Everything was perfect," he said afterwards. "I showed that it is possible to fly a little bit like a bird."

Rossy traced the route of French aviator Louis Bleriot, who became the first person to fly across the Channel in an aircraft in 1909.

The Swiss pilot was propelled by four kerosene-burning jet turbines attached to a wing on his back. He ignited the jets inside a plane before jumping out more than 8,000 feet above ground.

We suspect that Mr. Rossy has hired some very competent lawyers to work on his patents and licensing of intellectual property. By now, it all may be classified and Sam Fisher is taking his first test flights.

operational risk

FCPA: 21st Century Investigations...

Intellectual property theft, corporate espionage, transnational economic crime and the Foreign Corrupt Practices Act (FCPA) are on collision course with international 21st Century investigators. New age professionals who were almost born with a keyboard or PDA in their hand; remain ever vigilant.

The use of third parties, offshore banking and other avoidance mechanisms such as Black Market Peso Exchange (BMPE) increases the potential for theft, corruption and abuse buried in global commerce using the Internet Protocol (IP).

The FCPA prohibits corrupt payments through intermediaries. It is unlawful to make a payment to a third party, while knowing that all or a portion of the payment will go directly or indirectly to a foreign official. The term "knowing" includes conscious disregard and deliberate ignorance. The elements of an offense are essentially the same as described above, except that in this case the "recipient" is the intermediary who is making the payment to the requisite "foreign official."

Intermediaries may include joint venture partners or agents. To avoid being held liable for corrupt third party payments, U.S. companies are encouraged to exercise due diligence and to take all necessary precautions to ensure that they have formed a business relationship with reputable and qualified partners and representatives. Such due diligence may include investigating potential foreign representatives and joint venture partners to determine if they are in fact qualified for the position, whether they have personal or professional ties to the government, the number and reputation of their clientele, and their reputation with the U.S. Embassy or Consulate and with local bankers, clients, and other business associates. In addition, in negotiating a business relationship, the U.S. firm should be aware of so-called "red flags," i.e., unusual payment patterns or financial arrangements, a history of corruption in the country, a refusal by the foreign joint venture partner or representative to provide a certification that it will not take any action in furtherance of an unlawful offer, promise, or payment to a foreign public official and not take any act that would cause the U.S. firm to be in violation of the FCPA, unusually high commissions, lack of transparency in expenses and accounting records, apparent lack of qualifications or resources on the part of the joint venture partner or representative to perform the services offered, and whether the joint venture partner or representative has been recommended by an official of the potential governmental customer.

Digital fingerprints and technology has changed the way we manage and store information just as it has changed the way cases are developed and presented to new juries who understand the evidence. Organizations operating on a global scale with branch offices in London, Frankfurt, Mumbai, Hong Kong and Shanghai are continually exposed to operational risks associated with rogue employee behavior in the normal course of doing business in country. The legal matrix of risk exposures are magnified by Internet commerce, privacy, intellectual property and transnational policing.

In the recent "2008 Report to the Nation on Occupational Fraud and Abuse" by the ACFE, the Banking / Financial Services industry group suffered the highest frequency of losses:

• # of Cases - 132
• % of Cases - 14.6%
• Median Loss - $250,000.00

The type of scheme with the highest percentage was corruption at 33.3% of banking cases. Government had 106 cases with 26.4% of these associated with corruption. The telecommunications sector endured the biggest impact with 16 cases reported yet with a median loss of $800,000.00 . Healthcare suffered 76 fraud cases at 26.3% involving corruption.

In all cases the digital trail is there for the forensic professionals to track, trace and assemble the history and chronology of events. Unfortunately for the prosecution and the plaintiffs, there is a tremendous backlog for the collection and analysis of this modern day CSI. Independence and expertise is the key element of getting your favorable day in court. Judges and juries are far more educated on the new Federal Rules of Evidence and Civil Procedure. Lawyers are utilizing the eDiscovery threat to force premature settlements. Meanwhile, the digital evidence continues to be collected, imaged and stored for analysis waiting it's day in court.

21st Century investigators utilize digital forensic certifications and training combined with years of education and experience. Managing the legal risk to institutions and those who have been implicated is their only priority by achieving a defensible standard of care. Judging the evidence is not their interest nor their objective. Insuring that the relevant information is soundly collected, preserved and presented without spoilation or prejudice, is the primary mission.

operational risk

Human Psyche: Transparency of Risk Profiles...

In a July 2008 a global Economist Intelligence Unit survey; 71% of the financial services executives admitted that their Enterprise Risk Management (ERM) strategy has not been fully implemented. 59% of the 316 executives say that the current credit crisis has put a high magnification microscope on their risk management activities and strategy.

Corporate executives might think that compliance would be a driving factor behind the need to break down the silos in the enterprise and become a more holistic risk management culture. This could not be farther from the truth. People are the only factor when it comes to addressing culture. However, the failing organizations have it upside down. They have been so focused on the sophisticated mathematics, they have lost sight of what really changes the culture more rapidly and pervasively. Leadership and culture. Human behavior working towards greater transparency of risk profiles and the management of reputation will work miracles compared to the "Hedge Quants" trying to manipulate the algorithms to obtain the desired results. We want to trust the data, but can we? The credit scoring applications can't keep up with the pace of the market changes.

The ERM strategy of the future needs to be focused on changing peoples behavior to impact "Reputation", as opposed to just another regulatory hammer to gain compliance. Therefore, Operational Risk Management and enhancing the perception of confidence in the "eye of the customer", will provide the peace of mind that is required to keep the flow of trust in the global markets. The Board of Directors policy implementation on risk management and developing a culture of ERM to better manage the implications of reputation is the top item on the upcoming meeting agendas.

Most shocking in the survey results are that financial institutions with $100B. in assets or greater; only 55% have someone in the dedicated task of "Chief Risk Officer". This means that 45% do not have a dedicated person who can see the entire ERM porfolio of risk. Institutions under $100.B in assets are in even worst shape.

In what is by far the largest bank failure in U.S. history, federal regulators seized Washington Mutual Inc. and struck a deal to sell the bulk of its operations to J.P. Morgan Chase & Co.

The collapse of the Seattle thrift, which was triggered by a wave of deposit withdrawals, marks a new low point in the country's financial crisis. But the deal, as constructed by the Federal Deposit Insurance Corp., could hold some glimmers of hope for the beleaguered banking system because it averts any hit to the bank-insurance fund.

Instead, J.P. Morgan agreed to pay $1.9 billion to the government for WaMu's banking operations and will assume the loan portfolio of the thrift, which has $307 billion in assets. The full cost to J.P. Morgan will be much higher, because it plans to write down about $31 billion of the bad loans and raise $8 billion in new capital. All WaMu depositors will have access to their cash, but holders of more than $30 billion in debt and preferred stock will likely see little if any recovery.

Walking throught the halls at the FDIC several months ago, this writer could almost smell the fear that was building. How are we going to deal with the new "tsunami of failed financial institutions" in the coming months? What will the domino effect be on customers psyche? Now, there are even fingers being pointed at the mechanisms for ensuring transparency to investors and customers:

Ultimately, those who blame fair-value accounting for the current crisis are guilty of the financial equivalent of shooting the messenger. Fair value does not make markets more volatile; it just makes the risk profile more transparent.

We should be pointing fingers at those at Lehman Brothers, AIG, Fannie Mae, Freddie Mac and other institutions who made poor investment and strategic decisions and took on dangerous risks. Blame should not be paced on the process by which the market learned about them.

operational risk

Decision Advantage: OPS Risk Intel...

The "Wall Street to Main Street" sound bytes are coming fast and furious on our multiple channels of media. Attacks on the US Embassy in Yemen and the Marriott hotel in Pakistan provide us with the other side of the Operational Risk Management Mosaic. Whether the "financial terrorists" are operating in the shadows of their trading accounts or "Islamic Jihadists" assembling components in the garage of an unknown warehouse, risk management is on their mind. And embedded in their operational trade craft.

OPS Risk Intelligence tells us what you are concerned about, or trying to learn more. If you are reading this you may have landed here on the Internet because you were searching for answers on some facet of Risk Management. These are just a few of the items that caught our eye in the last 24 hours:

• does "fre 502" apply retroactively
• security issues 4gw 4th generation warfare ? conflict and completion ? what can we learn from this to management
• levels of risk, operational versus strategic risk
• risk management for trucking business
• hp hewlett packard plant safety risk manager
• cyber risk insurance questionnaire
• memento actimize
• erm for citi bank
• the economics of risk management
• strategic operational risk
• risk management blog
• "country risk" offshore
• what risk is associated with spam?
• ? iso (bs 27001? british standard for information security management, mandated for the nhs in 2001 how to
• bank audit
• case study societe generale
• best practices for seizing electronic evidence
• risk management convergence
• telecom operational risk management training
• risk and human factors
• how military contingency plans are formulated
• financial health suppliers risk management
• bank audit and compliance, risk management

How do I continuously monitor my vulnerability and the likelihood of disaster before I achieve my mission? Hedging the risk on whether a stock will decline in value before a certain date and arriving undetected in a truck with a ton of explosives at a certain time both have several risk factors in common. Stealth is one of them. Therefore, only accurate and timely intelligence gained before the trigger event, can make the difference for the targets survival.

(Reuters) - Goldman Sachs Group Inc (GS.N: Quote, Profile, Research, Stock Buzz) said on Sunday it would become the fourth largest bank holding company and would be regulated by the Federal Reserve.

Goldman said it would move assets from a number of strategic businesses, including its lending businesses, into an entity called GS Bank USA that would have more than $150 billion in assets.

GS Bank USA would be one of the ten largest banks in the United States, with assets that are fully funded for term and available to funded by the Federal Reserve.

By dispatching suicide bombers to the capital—and particularly to such a high-profile target—the extremists appear to be continuing their bid to force the Pakistani government to halt ongoing military operations in the troubled region, which borders neighboring Afghanistan.

But the bombing, which killed some 57 people—most of them ordinary Pakistanis—is being dubbed as the "9/11 of Pakistan," and is seen by many as a declaration of war on the part of local Taliban. It has also suddenly changed the tone of the government leaders who until recently have been publicly mulling peace deals with the militants.

If you are the target of a takeover by your competitive adversary on the global financial landscape or just another "soft target" hotel or other critical infrastructure, the game remains the same. Gaining intelligence that has been validated from a vetted and trusted source, is what creates a "Decision Advantage."


operational risk

EO 12333: Open Source Intelligence...

As the headlines continue to shout for more oversight, regulation and legal actions in the aftermath of chaos in global financial markets; the corporate investigations and security departments are at full capacity. Outsourcing the investigations is not anything new, and it makes even more sense in times when an independent point of view is essential:

A blend of advanced technology, increased litigation and rising fears about trade secret theft and financial fraud is driving law firms and corporate counsel to the doors of former FBI agents and ex-prosecutors with a knack for solving crimes.

These private investigators report that calls for help from law firms and corporate general counsel have increased substantially in recent years.

Attorneys are looking for assistance on a wide range of problems, including: corporate espionage, intellectual property theft and workplace discrimination claims.

At the core of many of these problems, lawyers note, is a mountain of computer evidence too technical and too overwhelming for attorneys to dissect on their own.

"Most lawyers do not have the technological experience or the accounting expertise to do almost any of the stuff that these guys do," said attorney Alan Brudner, head of litigation and investigations of the U.S. division of UBS Securities LLC, an international financial services firm.

Corporate Counsel should be reinvesting in the consistent lawful monitoring of employees, contractors and suppliers as it pertains to Executive Order 12333. This has been recently amended and clearly spells out the refocus on our intelligence efforts to address the following threats to our corporate trade secrets and national security:

(c) Intelligence collection under this order should be guided by the need for information to respond to intelligence priorities set by the President.

(d) Special emphasis should be given to detecting and countering:

(1) Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;

(2) Threats to the United States and its interests from terrorism; and

(3) Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction.

(e) Special emphasis shall be given to the production of timely, accurate, and insightful reports, responsive to decision makers in the executive branch, that draw on all appropriate sources of information, including open source information, meet rigorous analytic standards, consider diverse analytic viewpoints, and accurately represent appropriate alternative views.

Suffice it to say that more than ever, "Open Source" information is becoming the starting point for all intelligence collection activities. In the context of the corporate policy regarding the use of systems, most if not all companies have the right to monitor all applications for "Red Flag" indicators of fraud, espionage or other violations of state and federal laws. Corporations are using "Open Source" information to determine the initial profile of potential candidates for open positions including the analysis of FaceBook, MySpace and LinkedIn social networking sites.

Executive Order 12333 emphasizes US citizens rights:

The Executive Order maintains and strengthens existing protections for Americans' civil liberties and privacy rights. The Executive Order retains and reinforces the provisions in place in the original Executive Order 12333 to ensure that all intelligence activities are conducted in a manner that protects the civil liberties and privacy rights of Americans. All collection, retention, and dissemination of information regarding United States persons must be conducted in accordance with procedures approved by the Attorney General.

Executive Management and Boards of Directors will be reexamining the current state of their policies regarding the monitoring of employees and other stakeholders. Essential tools and operational risk management methodologies must not only be utilized to safeguard our corporate secrets from theft and economic espionage, they must simultaneously protect our privacy and civil rights. There are mechanisms in place for "Joe Citizen" to address his identity and the right to correct any information that is incorrect or in error. However, in this age of Wiki's, social networking sites and sophisticated data mining techniques it's possible that one's identity could be associated with other information that is derogatory, disparaging or can damage a persons reputation.

Managing your own identity and reputation in a vast sea of "Open Source" information is imperative. In a world of intelligence collection, analysis and production the integrity of data is just as important as the confidentiality and the assurance of the data. Making sure that Lexis Nexis, TransUnion, Experian and Equifax are using the correct information associated with your identity could make the difference in critical facets of your life, both personal and professional.

Who is managing your identity today? Private and law enforcement investigators may start with "Open Source" information to develop a profile, yet that is only the beginning. Vetting sources and individuals who provide information is a key part of the process. Certifications, training, regulation and continuous oversight will ensure that people are continuously improving their skills, techniques and processes. The rest, is up to you.

operational risk

A Perfect Storm: OPS Risk & The Asian Factor...

The forensic professionals have been busy at Freddie Mac and Fannie Mae over the past six months, and we are only looking at the tip of the ice berg. The results are in and Uncle Sam (US) is now adopting them in order to try and achieve new corporate governance and operational risk management objectives. The "Asian Factor" is a major influence in this decision.

The historic announcement has been well received by some of the institutions and Asian countries that were heavily invested in the US mortgage backed securities market. In Hong Kong, HSBC soared 4.5 percent and No.1 China lender ICBC rose 4.7 percent in trading.

Asian stock markets soared Monday after Washington announced a bailout of mortgage giants Fannie Mae and Freddie Mac — a move that could help bolster a shaky U.S. housing market and renew global investor confidence.

The initial relief will give some the feeling that the worst is over and that is not the case. The Operational Risks associated with these events have now increased exponentially as new people take over and existing people jump off the sinking ship. Just the attrition in manpower will create new threats from within these organizations in the form of just errors and omissions alone.

And now let the litigation begin:

A shareholder is suing five banks, claiming they did not warn her or other investors about a proposed accounting-rule change that lowered the value of Fannie Mae stocks she bought, Bloomberg News reported.

The proposed rule is FAS 140, the accounting standard that specifies the conditions for keeping securitized assets off the balance sheet. If the proposal is issued in its current form and takes effect in November 2009 as expected, it could force companies like Fannie Mae to bring some special-purpose entities back on their balance sheet.

Plaintiff Karen Orkin, who bought 600 shares of class B Fannie Mae shares, filed the suit in New York State Supreme Court in Manhattan this week as a proposed class action, according to Bloomberg. The complaint reportedly says 89 million shares of the stock were sold, and the share price sunk by 44 percent in value in four months.

The five banks — Citigroup, Merrill Lynch, Wachovia, Morgan Stanley, and UBS — formed a syndicate to underwrite the stocks. Wachovia, Morgan Stanley, and UBS declined to comment on the suit.

The lawyers and the accountants are circling the feeding frenzy looking for new opportunities to cash in on the next phase of the sub-prime mortgage crisis. And they are not the only firms that have been gearing up for the court room drama in the months and years to come. FTI, LECG and other eDiscovery firms such as Encore are creating specialty units to focus on the growing number of law suits and litigation as a result of the tremendous fraud allegations:

The fact that numerous government entities are involved puts a high premium on the use of sound electronic discovery processes, chain of custody and especially forensic expertise. “What may start as a broad-based investigation by the SEC could quickly evolve into a complex web of related cases,” said Hemanth Salem, Encore’s Vice President of Professional Services and member of the Subprime Services Unit. “For example, the discovery process must factor in that an investigation could quickly expand to include 10b- 5 and derivative cases, ERISA ‘stock-drop’ cases, fraud or negligence claims revolving around slack underwriting standards, lack of appropriate internal accounting controls and failure to disclose exposure to risk in MBSs and CDOs.”

As the markets stabilize and the new corporate governance takes hold at institutions across the globe, take a minute to consider the real interdependencies. Operational Risk is directly tied to the sophistication of our systems, software and algorithms that make up the very DNA of our financial trading infrastructure. Add to this the complexity of people, cultures and their behavior when emotions of fear, greed and even revenge come into play. Welcome to the "Perfect Storm" of Global Enterprise Risk Management.

operational risk

EDD Overload: Modern Incident Response...

Remote Digital Forensics is quickly migrating into a vast science that requires a sound combination of both legal and technical expertise. The EDD process has been helpful in educating the marketplace about the industry and the steps that are necessary for a complete and thorough eDiscovery review. However, relevancy and precision is highlighted here by Richard Betjlich:

Why copy a 2-terabyte RAID array on a server if cursory analysis reveals that a small set of files provides all of the necessary evidence to make a sound case? Expect greater use of "remote previews" during incident response and select retrieval of important files for forensic analysis.

In addition to focusing on just the material that matters, modern incident response and forensic processes are more rapid and effective than historical methods. When hard drives were 40MB in size, it was feasible for a moderately skilled investigator to fairly thoroughly examine all of the relevant data for signs of wrongdoing. With today's volume of malicious activity, hard drive size, and efforts to evade investigators (counter- and anti-forensics, for example), live response with selective retrieval and review are powerful techniques.

The explosion of ESI and EDD related businesses is creating confusion and fear in the marketplace. Corporate counsel is working with outside law firms to get a better understanding of what their specific competencies are in the processing and analysis of electronically stored information that is relevant to the case. The question may remain, are they looking at everything instead of what is material to the case thus driving up the costs of litigation and the billable hours?

The Federal Rule of Evidence 502 takes effect in a few months (December 1, 2008) and this will address part of the problem:

Managing information that is discoverable through email from Party A to Party B using the internal e-mail system provided by the employer to the third parties outside of the organization including lawyers is the nexus here. How can an organization make sense of it all and keep the GC from pointing fingers at the CIO?

The answer begins with building awareness and education with all employees in the organization, not just the legal staff and IT. It begins the moment any employee opens the word doc or excel spreadsheet. The second you reply to that IM or e-mail on your PDA . Only through effective education and policy management will the enterprise learn how to modify behavior regardless of what tools and systems are put in place to organize, sort and query ESI.

"Whether building the castle walls or defending the crown jewels, knowing the right questions can make all of the difference."

The beginning of your educational journey starts here: CastleQuest

To learn more about Remote Digital Forensic Solutions visit: 1SecureAudit

operational risk

FACTA: Red Flags & eCrime...

The "Red Flags" rule has some banks and financial institutions scrambling to get compliant by the upcoming November deadline. The corporate governance and compliance teams are working hard to make sure the Operational Risks associated with the rule are being addressed in a timely and prudent manner:

Federal Trade Commission (FTC) and five Federal financial regulatory agencies published a series of final rules and guidelines entitled "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act (FACTA) of 2003." Red Flags are relevant indicators of a possible risk of identity theft and Section 114 of FACTA specifically explains rules about the development and implementation of a written identity theft prevention program. The provision recommends that both financial institutions and creditors in the United States assess the likelihood that their customers' accounts are prone to identity theft, and mandates that they then implement a program to identify, detect and respond to its indicators.

Organizations who have many of the Information Security and Enterprise Risk functions under the CISO or CIO will have to make sure that they are communicating effectively with the Board of Directors, just as they did with SOX. Senior management is on the line when it comes to the security and safety of the vital information on clients and customers.

"Financial institutions or creditors could look at this as a governance strategy to get the Operational Risk objectives on the Board Room agenda," said Peter L. Higgins, Managing Director and Chief Risk Officer of 1SecureAudit. "When Board Members themselves are having their own personal identities compromised by Transnational eCrime Syndicates, senior management can bet that they will have to have their house in order, especially by November 1st." "Our advisory teams are recommending integrated enterprise solutions alongside software tools such as Norkom Technologies, Memento and Actimize to mitigate these specific compliance and eCrime business problems," Higgins said.

And just when the financial institutions have their hands full with ID Theft, so do the health care and medical sectors:

To be sure, the most recent data available suggests medical ID theft affects a relatively small number of people. In 2005, more than 8 million Americans were victims of identity theft, and 3% of them, or about 249,000, had their personal information misused for the purpose of obtaining medical treatment, supplies or services, according to a 2006 study from the Federal Trade Commission.

But state and national lawmakers are beginning to take notice. Starting this year, California extended its security breach law to require companies that handle medical and health-insurance information to notify people when the security of their medical data has been compromised.

In May, the U.S. Health and Human Services Department's Office of the National Coordinator for Health Information Technology awarded a $450,000 contract to Booz Allen Hamilton to study the extent of the nation's medical identity theft problem.

The last to know?

Victims often realize they have a problem when they receive their insurer's explanation of benefits for services they never received, collections companies come calling for charges they didn't incur or their credit report shows changes, Dixon said.

"Right now where we are with medical identity theft is where we were at the beginning of financial identity theft," she said. "We're starting at square one with this crime. The good news here is financial identity theft laws are going to help these victims for debt collection and credit report issues."

operational risk

Risky Business: Global Cyberwarfare...

OPEN SOURCE WARFARE: Cyberwar is here to stay. Think about the leverage. Imagine the impact on global commerce from the Board of Directors perspective. Is it possible to disrupt business operations on a regular or targeted basis? The Russian -Georgia Digital Conflict started on the Internet and has spread to Atlanta, GA USA where the Georgian President's web site has been relocated.

John Robb sums this up nicely. Transnational eCrime is being fueled by knowing individuals and governments that:

• Engage, co-opt, and protect cybercriminals.
• Seed the movement.
• Get out of the way.

We have heard the term "plausible denial-ability" in the years past when a world event occurs and somehow the proof is just too far from reach. Those days are soon to be over as new mechanisms are integrated with diplomacy and defense leadership to provide the evidence necessary to show culpable entities.

One such exploit has been out there for months and is being perpetuated by the transnational crime syndicates use of tools such as NeoSploit:

One obvious fact is that Web exploitation toolkits are only going to get more professional and advanced. Some sources state that a NeoSploit kit sells for $1,500‐3,000 USD, based on the features requested. that kind of money, the developers behind these packages have every incentive to make their product as tamper‐resistant and full featured as possible, trying to extend life not only to their own exploits evading detection and analysis), but also to the creations of the virus writers who utilize them.

The business longevity of your organization and it's ability to remain resilient in the face of cyber-warfare depends upon your ability to provide countermeasures and the effectiveness of your digital counterterrorism strategy execution. Without these in place, your organization faces the inevitable aftermath of any conflict when you are too close to the action.

Attacks by Russian hackers against Georgian Web sites, including one hosted in the United States, continued Tuesday even as Russian President Dmitri Medvedev ordered a halt to hostilities against Georgia.

Tom Burling, acting chief executive of Atlanta-based Web-hosting firm Tulip Systems Inc., said the Web site of the president of Georgia was the target of a flood of traffic from Russia aiming to overwhelm the site. Burling said bogus traffic outnumbered legitimate traffic 5000 to 1 at president.gov.ge.

"Literally, our people aren't getting any sleep," Burling said.

Tulip's firewall was blocking most of the malicious traffic. The site has been periodically inaccessible, though it was working midday Tuesday. Burling said the attacks have been reported to the FBI.

The transnational UNSUB's may be beyond the reach of the legal systems of these nation states. Or are they?

operational risk

ESI: Federal Civil eDiscovery...

The San Francisco DA "Operational Risk" factors have spiked now that they have released passwords in public documents for their internal VPN networks.

The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's virtual private network. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case of Terry Childs, who is accused of holding the city's network hostage by refusing to give up administrative networking passwords. Childs was arrested July 12 on charges of computer tampering and is being held in the county jail.

Mr. Childs is a good example of the "Insider Threat" that any savvy CSO has on their mind today. As a result of the case evidence being gathered and the eDiscovery involved with proving the case in court, now we have additional exposures to the City of San Francisco. A system administration nightmare only if the city has not implemented tools such as Multi-Factor authentication and encryption of sensitive personal identifiable information or classified data.

Childs faces four felony counts of computer network tampering and one penal-code violation for causing losses in excess of $200,000. He has pleaded not guilty but remains in custody in lieu of $5 million bail.

The ordeal has spurred the city's IT department to bolster network oversight and to consider hiring outside auditors to monitor a security upgrade. City officials also will review all access to its FiberWAN network, the hub through which payroll, e-mail and criminal files flow.

It has also persuaded other cities to scrutinize their own systems.

As more cases like this one enter our legal system it is imperative that attorneys for both the plaintiff and defense realize the implications of their search for justice. The identities of people who may be witnesses in an upcoming trial have a sensitivity just as the ID's or login credentials for city employees and officials. As these types of cases become more prevalent there will be new procedures and controls invoked by judges who have learned their lessons about releasing sensitive information such as network passwords to the public record.

So What! What does Operational Risk have to do with a criminal case? What would eDiscovery have to do with this? Where do you think they got all of these passwords? Inside a paper notebook sitting on a shelf?

In a case that did not receive a lot of publicity the Court in United States v. O'Keefe, 537 F. Supp. 2d 14, 18-19 (D.D.C. 2008) applied the federal civil ediscovery amendments to a federal "criminal" case. This was a significant decision in that DOJ's federal prosecutors (over 4000), defense counsel, and others have some guidance from a federal magistrate regarding ESI in the criminal area. The Court stated:

In criminal cases, there is unfortunately no rule to which the courts can look for guidance in determining whether the production of documents by the government has been in a form or format that is appropriate. This may be because the "big paper" case is the exception rather than the rule in criminal cases. Be that as it may, Rule 34 of the Federal Rules of Civil Procedure speak specifically to the form of production.

The Federal Rules of Civil Procedure in their present form are the product of nearly 70 years of use and have been consistently amended by advisory committees consisting of judges, practitioners, and distinguished academics to meet perceived deficiencies. It is foolish to disregard them merely because this is a criminal case, particularly where, as is the case here, it is far better to use these rules than to reinvent the wheel when the production of documents in criminal and civil cases raises the same problems.

operational risk

People Risk: Protective Security Professionals...

How long does it take for a lethal attack to occur against an at-risk person? Just 2 Seconds is the latest book by Gavin De Becker. Along with his long time colleagues Tom Taylor and Jeff Marquart they document how to use time and space to defeat adversaries.

There are some compelling insights gained from their research:

• In the US, attacks are most likely to be undertaken by lone assailants 87% vs. outside the US where attacks are typically the work of multiple assailants 71%.
• Attacks in the US are about as likely indoors (53%) vs. outdoors (47%)
• However, 64% of attacks happen when the protected person is in or around the car and 77% of these attacks are successful.

Most of these happen within a distance of 25 feet or less using a handgun. Corporate executives and their Protective Security Detail (PSD) already know these statistics and have trained together for these increasing risks. Many have adopted the LADDER model from Gavin de Becker & Associates training academy:

Logistics
Advance
Distance
Deterrence
Evacuation
Response

The study of the motives and the psychology of why these actors pick their targets and choose the time and place has become a science. The methods and tools to assist corporate security in predictive analytics requires a substantial baseline of historical data and real-world experience. Over 20 years ago Gavin and his team developed the MOSAIC Threat Assessment system. It is now in use with dozens of police and government agencies to help authorities and Protective Security Details to be more proactive and preemptive.

Protective Security Specialist's today are certified professionals utilizing intelligence in combination with the attributes of Time, Mind and Space to provide safe and secure travel for their clients. The science and the art have converged to provide a fusion of data, strategy and ad hoc tactics to ensure the mission is completed without incident. As one example, in the state of Virginia, their training is extensive and encompasses a rigid certification process that begins with:

1. Administration and Personal Protection Orientation - 3 hours
   
   
2. Applicable Sections of the Code of Virginia and DCJS Regulations - 1 hour
   
   
3. Assessment of Threat and Protectee Vulnerability - 8 hours
   
   
4. Legal Authority and Civil Law - 8 hours
   
   
5. Protective Detail Operations - 28 hours
   
   
6. Emergency Procedures - 12 hours
   • CPR
   • Emergency First Aid
   • Defensive Preparedness
   
   
7. Performance Evaluation - Five Practical Exercises

Golden Seal Enterprises is just one of the certified training schools providing the core and advanced work for becoming a PSS professional in Virginia:

Course Description: Using proven protective detail models, from the real world experience of GSE’s cadre of EP, PSD and PPS Instructors students will learn to use a pro-active process to prevent threats while maintaining the ability to use reactive skills when a threat is present. This is designed to enable students to operate in self-supporting details but will also encompass interfacing with other details, law enforcement, and other security personnel.

Graduates will be able to provide a secure environment for a client through identifying and controlling potential risks while the client is on foot, in a vehicle, or within a structure in dynamic situations. Graduates will also learn procedures to control the effects of unusual incidents in a professional manner to maintain the client's safety and image and a consistent proper working relationship with the client, client's family, and staff. The course content includes classes and discussions as applied to permissive and semi-permissive environments. Includes VA DCJS 32E certification.

Topics Covered: Protective Operations, Terminology, Case Studies, Advances, Detail Organization, Formations, Route Surveys, Surveillance Detection, Communication & Equipment, Transportation, Vehicle Dynamics, Evasive Maneuvers, Motorcades, Vehicle Search, Technical Security, Details Abroad, Protective Detail Firearms, Assassinations, First Responder Medicine, CPR & AED Certifications and Defensive Tactics.

The profession doesn't stop there. Some risk management firms who have these certified individuals on staff go much further in their training and their vetting of employees. We agree and recommend that you add these questions to your due diligence when obtaining Request for Proposals:

• Review all policy documents the firm has their personnel sign to become a PSS on staff.
• Review the firms hiring process and the prerequisites to join the firm.
• Review the operational standards and operating procedures to ensure 24 x 7 x 365 capabilities.
• Review the 3rd party agreements that encompass any transportation and private aviation suppliers (Netjets)
• Review the firms technology and communications infrastructure including radios, information systems security controls and privacy countermeasures.

The profession has come a long way and people like Gavin de Becker & Associates have established the baseline for others to compete. High net worth individuals, movie stars, public officials and corporate executives have much at stake and require comprehensive strategy execution.

Think of every assassination you've ever heard about. For most people, a few of these major ones come to mind: Caesar, Abraham Lincoln, John Kennedy, Martin Luther King, Mahatma Gandhi, Indira Gandhi, Anwar Sadat, John Lennon, Israel’s Prime Minister Rabin, Pakistan’s Benazir Bhutto.

From start to finish, all of these attacks — combined — took place in less than one minute. And the hundreds of attacks studied for this book, all of them combined, took place in less than a half-hour. Those thirty minutes, surely the most influential in world history, offer important insights that can help today’s protectors defeat tomorrow’s attackers.

operational risk

ESI Risk: Seizing Electronic Evidence...

In this issue of Board Member Magazine, Lisa Ferri reminds us of the importance of the risk of Electronic Evidence.

If the only thing better than learning from your mistakes is learning from the mistakes of others, then directors need to take a lesson from Philip Morris. The tobacco giant was slapped a few years ago with a $2.75 million fine by a federal court. The offense? Wrongful destruction of e-mails, otherwise known in legal circles as spoliation of evidence. The court found that at least 11 Philip Morris executives “at the highest corporate level” were guilty of violating a court order concerning document retention. In other words, they purged and paid the price.

United States of America v. Philip Morris USA Inc., et al. is a cautionary tale of the problems awaiting companies that are either unaware of or unprepared for the world of electronic evidence. The rules governing that world are evolving at warp speed.

In the United States, does an employee need the companies permission to seize your computer at the workplace for electronic evidence? In order to be more informed about this procedure and the legal implications in your enterprise, see CCIPS.

Warrantless workplace searches occur often in computer cases and raise unusually complicated legal issues. The starting place for such analysis is the Supreme Court's complex decision in O'Connor v. Ortega, 480 U.S. 709 (1987). Under O'Connor, the legality of warrantless workplace searches depends on often-subtle factual distinctions such as whether the workplace is public sector or private sector, whether employment policies exist that authorize a search, and whether the search is work-related.

Your compliance or legal office can provide you with the guideance for any employee that is suspected of violating company policies with regard to computers crime or theft of confidential information or intellectual property. The question remains, what policy is in existence today and what methods have been utilized for full disclosure to employees that may impact their rights of privacy on the job?

For more help on this subject see: Best Practices for Seizing Electronic Evidence.

Just remember, Forensics and gathering electronic evidence in a criminal matter is in opposition to your recovery. Once a violation has occured, you can make changes, clean up the problem and get back to normal or you can preserve the crime scene for evidence. It's one or the other. If it's not, then that is when you run into problems. Document retention strategies in combination with Forensic Digital Discovery procedures are critical to any organization that cares to mitigate the ongoing risks of electronic evidence.

operational risk