Infinistructure: Who Knew What When...

Who knew what when? This is the question of the last year as we now embark on the path towards recovery. The Operational Risks that brought down our economic institutions are growing and the convergence has brought us even bigger systemic organizations "Too Big To Fail."

While many will be side tracked by the need to deal with the toxic assets still on the books or in sinking portfolios the "Zero's and One's" don't lie. The information, digital evidence and just pure data audit trails will remain for many to be caught, charged, indicted and then sent before a jury to decide their fate.

Managing risks in the enterprise today takes on many flavors and within several departmental or enterprise domains of expertise. Whether it be the legal department, the IT department, Internal Audit, Security department or even the Operational Risk Management Committee the "Zero's and One's" don't lie. Think about how much time the people behind corporate malfeasance spend on trying to cover their tracks, clean up the digital "Blood Trail" of their crimes and wrong doing all the while knowing that someday, a smart investigator or forensic examiner will connect the dots. Game over. Amir Efrati at WSJ writes:

Federal prosecutors in Manhattan brought criminal charges Friday against two men for allegedly being the technological brains behind Bernard Madoff's multibillion-dollar Ponzi scheme, and suggested charges against others could follow.

The case against two former computer programmers, Jerome O'Hara and George Perez, may help fill in key blanks in the timeline of how Mr. Madoff, who pleaded guilty to fraud earlier this year, masterminded a scheme that has cost thousands of investors more than $20 billion. The complaint hints at other unnamed "co-conspirators" at the Madoff firm who are now being targeted by prosecutors.

Regardless if you are two paid-off programmers who have been enforcing the "Business Rules" in their software by the boss or an internal threat actor does not matter. Whether they are copying, stealing, altering or damaging the digital information within the organization does not matter; these Operational Risks remain constant. The resources and the money devoted to continuous due diligence, monitoring and preemptive strategy to deter, detect and defend the digital assets of the enterprise need to grow dramatically to stay ahead of the curve.

The best way to figure out what to do and how to do it will require outside assistance. Moving your digital assets to be professionally managed makes sense for economic and other financially prudent reasons. Yet this migration away from large numbers of people managing and maintaining your information technology infrastructure internally and on your payroll is just the standard "outsourcing" strategy right? It has it's own set of 3rd party supply chain set of risks. After your next incident who will be asking: Who knew what when?

Many private sector and government enterprises who are augmenting their COOP and the economic strategy of "Cloud Computing" have realized the smart course of implementing and migrating to managed services and infrastructure suppliers such as Terremark:

Terremark Worldwide (NASDAQ:TMRK) is a leading global provider of IT infrastructure services delivered on the industry's most robust and advanced operations platform. Leveraging purpose-built datacenters in the United States, Europe and Latin America and access to massive and diverse network connectivity from more than 160 global carriers, Terremark delivers government, enterprise and Web 2.0 customers a comprehensive suite of managed solutions including managed hosting, colocation, network and security services.

Terremark's acclaimed Infinistructure utility computing architecture has redefined industry standards for scalable and flexible computing infrastructure and its digitalOps service delivery platform combines end-to-end systems management workflow with a comprehensive customer portal.

How can the utilization of an "Infinistructure" with the knowledge and application of a legal compliance ecosystem in your enterprise mitigate the risks associated with bad actors, unprepared personnel and the digital loss of key evidence? Stay tuned for more on this later. In the mean time remember this. All of the newest technology, faster computers and networks enabled with encryption and secured physical locations will not be enough to save your institution from Operational Risks. It is just one more piece of the total risk management mosaic that will still require the smartest people and the most robust policy and processes imaginable.

Who knew what when? This will continue to be the biggest question of the next decade.

operational risk

Intel Analysis: Executive Risk Fusion Center...

How often do you try and prove that a risk hypothesis is true? Is it possible that each piece of evidence that you collect or information you process is utilized to try and prove that your hypothesis is correct.

Analysis of executive Operational Risk Intelligence in your corporation is typically being processed within the organizational silos of your enterprise business units. How it is being shared, how often and then how it is being analyzed, compared and used to confirm or refute multiple hypotheses, can make the difference in your corporate business survival.

The ACH methodology developed by Richards J. Heuer, Jr., is a vital component of your internal Executive "Risk Fusion" Center where the Board of Directors, Senior Management and corporate risk directors determine the correct strategic course for the future:

Analysis of Competing Hypotheses (ACH) is a simple model for how to think about a complex problem. It is an analytic process that identifies a complete set of alternative hypotheses, systematically evaluates data that is consistent and inconsistent with each hypothesis, and rejects hypotheses that contain too much inconsistent data. ACH takes you through a process for making well-reasoned, analytical judgments. It is particularly useful for issues that require a careful weighing of alternative explanations of what has happened or is happening. ACH can also be used to provide early warning or help you evaluate alternative scenarios of what might happen in the future. ACH helps you overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult; it helps clarify why analysts are talking past one another and do not understand each other’s interpretation of the data. ACH is grounded in basic insights from cognitive psychology, decision analysis, and the scientific method.

What is the likelihood that the General Manager, Global Security of your enterprise is looking at surveillance information on a rogue employee today to assess workplace threat and to help keep the company safe? Simultaneously, the Chief Information Security Officer (CISO) is analyzing the latest log data from various intrusion systems to determine if the "Advanced Persistent Threat" (APT) has changed it's cyber tactics to steal the latest software R & D architecture from the office suite business unit. The Chief Financial Officer (CFO) and Head of Internal Audit are analyzing the latest revenue reports with the Vice-President of Sales & Marketing to determine why the Asia Pacific team have been losing 8 out of 10 business deals in the forecast pipeline.

The likelihood is high. Each is formulating a hypothesis independently of each other and in most cases they will never know that there is a risk related nexus to the entire enterprise. The reason is that your Executive "Risk Fusion" Center does not exist or is unable to analyze competing questions that are being asked about potential areas of concern. So when do you use this approach and the ACH methodology?

Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.

The human mind needs modern software analytics, proven cognitive tools and vetted processes of thinking to arrive at the answer. While the answer may not be what you seek, it is the answer to the question, without a doubt. Live with it or discard it. This does not matter. What does matter is that the Executive "Risk Fusion" Center brought together the best of all these operational risk components and whether the human chooses to accept it or ignore it could be our corporate prosperity or peril. What do you think?

operational risk

Legal Risk: The Art of Compliance...

Risk Management is on the mind's of Corporate Directors and in some interesting places according to a recent poll by PWC and Corporate Board Member Magazine:

How has your personal risk as a director changed in the past 12 months?

Increased 69%
No change 30%
Decreased 1%

Some risks are tough to name...

What keeps you up at night?

Unknown risks 59%

...while others are identifiable.

Do you think regulators are more likely to investigate your company?

Yes 71%

Do you think there'll be an increase in shareholder suits?

Yes 65%

If 71% of the directors surveyed think that regulators are more likely to investigate the company where does that feeling come from? Is it the fact that the SEC and others such as the FTC, OCC and others are gearing up to facilitate greater oversight than in past years? Is it the lack of internal focus on creating a systemic Risk Management Framework? Could it be the amount of toxic assets that are still on the balance sheet? The answer is yes, yes, and yes.

So what can Directors do to make sure that management and the company are ready when the "Feds" come to town? The answer may well lie in the ability to show a history and evidence of doing the right thing and doing it with extreme diligence.

For good or bad—okay, mainly for bad, most respondents agree—the government as boardroom-player-cum-active-investor will be around for a foreseeable spell.

Regulation will rise...

Do you think there will be a big increase in regulation?

Yes 91%
No 2%

Of that 91%, 54% “strongly agree” with the premise that there’ll be more regulation, 37% “agree.”

...and spread.

Do you think other companies will have to adopt rules that the government has imposed on those receiving financial help?

Yes 54%
No 20%

Nearly 45% of the respondents say no amount of government control, whether more or less than what we got, could have prevented the severity of the economic crisis.

No to Uncle Sam as paymaster

Respondents are against the feds’ having a say in setting executive pay.

Are government limits on executive compensation justified?

No 88%

Should the government impose further limitations on pay?

No 97%

Should comp be left to the board?

Yes 76%

The only hope for "Achieving A Defensible Standard of Care" in your institution could be what Siemens and other wrongdoers have discovered. Spending hundreds of millions of dollars on "Compliance" might be a good thing when the time comes to differentiate yourself in the marketplace and negotiate with the government. Especially if you are a global enterprise doing business in countries that don't exactly have the best reputation with transparency and the rule of law. Here is what Chairman of the Supervisory Board of Siemens AG, Gerhard Cromme had to say on their efforts to date:

Wherever wrongdoing was proved beyond a doubt, we immediately took the necessary actions. Wherever there were systemic weaknesses, we identified them and corrected them. Where the necessary resources were lacking, we provided them. These demanding efforts have paid off: Today Siemens has a clear, transparent structure that no longer allows any gray areas with respect to responsibility. At the same time, these structures make Siemens more efficient, more cost-effective, and thus more competitive. The authorities took into consideration our unflinching desire to do whatever was necessary for a fresh start in determining the size of the penalties and the duration of the proceedings.

Operational Risk encompasses the actions taken by Siemens that includes the new centralized systems for payments, disbursements and other accounting functions that were previously in business units outside of Germany. This consolidation and integration of systems was not easy but represents that a discovery in the vulnerability of controls with a decentralized system warranted the investment in a new way of doing business.

Only time will tell whether any companies Board of Directors efforts to spend more resources on "The Art of Compliance" will make a difference to the regulators, investigators and litigators. One could probably bet that over time it will make a difference. But only if the "Tone at the Top" is commensurate with the actions being asked of the employees and stakeholders, doing the day-to-day tasks running the risk operations of the enterprise.

operational risk

Irregular Warfare: 21st Century Corporate Battlefield...

The safety and security of your corporate assets is a Board of Directors level issue. The loss events including adversarial litigation for errors, omissions, or just plain ignorance of regulatory compliance are gaining momentum. These Operational Risks associated with human behavior and the daily tasks performed on the job remain a vast vulnerability within the corporate enterprise. Why?

The discipline of effective Operational Risk Management requires a tone from the top that speaks to the core issue:

Historically, financial institutions that have experienced security breaches or costly exposure to operational and other kinds of risks have tended to keep these incidents under wraps.

The conventional wisdom was that it was bad for the brand and bad for the business to talk about these situations. But times have changed –- the developments of the past couple of years in the financial services industry have served to demystify risk management in many ways. At the same time, with e-crimes and other kinds of online security breaches becoming more sophisticated and prevalent, some industry players are calling for more openness and collaboration as a way to try to identify and prevent attacks before they compromise critical customer information.

The growth of more sophisticated attacks on our critical infrastructure, exploits that compromise our "Personal Identifiable Information" (PII) and the risks associated with wrong, invalid or corrupted information will continue to accelerate. The loss events are directly tied to the speed and sophistication of the systems associated with people doing their daily tasks, whether it be a person operating a vehicle with computers on board or sensors designed to collect specific information, the systems are faster and more complex.

Sharing information to address the threats from transnational non-state actors who are organized and operating with the intent of exploiting vulnerabilities in the fabric of business have three places to focus their efforts on your systems and controls:

• Design
• Implementation
• Configuration

If business understands that these are three areas that the attackers are focused on, then perhaps they will realize that resources and manpower must be allocated to these key components of the enterprise defense. If you think about each loss you have incurred over the past year, the odds are that your attacker was able to exploit one of these three attributes. Think about it for a minute.

Even if your design is flawless in theory, overtime you may come to find that the wall is not tall enough, the fence not long enough or the door not strong enough. Even if your implementation follows the designers instructions you may find that the environment you operate in is too hot, too isolated or overwhelmed with chaos. Even if your configuration today is a one-to-one match for all known exploits the adversary is watching and monitoring your design and implementation. They are changing their tactics and "Modus Operandi" (MO) to fool you, scare you or to operate in complete stealth mode, until it is too late. This is known as irregular warfare:

When we say irregular warfare, what we're really talking about is a not so new, but newly formalized approach to dealing with challenges. It is a concept and philosophy properly considered in the strategic context that allows us to apply capabilities holistically to achieve desired effects. It's most unique characteristics are the focus on the relevant populations, support to sovereign partners and a linkage to our shared interests. It is a DoD activity not limited to SOF or dependent on a state of war.

Irregular Warfare “the concept” equips us intellectually to deal with a global environment that is characterized by broad ambiguities. These ambiguities are seen in the apolar nature of a world with multiple competitors; both state and non-state. Challenge causations that include crime, extremism and accelerating migration patterns and finally the interdependencies and interconnectivity of economies, communications and media systems and social networks. This is, without question, a highly complex challenge set and we, must be a more capable and sophisticated actor ourselves if we expect to protect our national interests.

In order to better understand how to mitigate operational risks in our institutions, you also have to study the complexity of modern warfare. The speed and complexity of new adversaries, (fraudsters, hackers, spies, terrorists, vandals, corporate raiders) that exploit your Design, Implementation or Configuration can be applied easily to both your accounting controls or security measures. Those organizations that learn how to apply modern day irregular warfare to the 21st century corporate battlefield will not only beat the competition, they will minimize their losses. Operational Risk Management discipline is an essential element that begins with the tone at the top and one enlightened CEO.

operational risk

Remote Digital Forensics: Complacency Risk...

Operational Risk Management commands a spectrum of disciplines within the global corporate enterprise. While convergence of responsibility, accountability and resources is taking place the internal threats continue to flourish. Why? How could a Chief Security Officer (CSO) not be aware of a specific threat to the institution by unknown subjects half way around the world? The transnational organized crime syndicates that target our weakest organizations know that they don't share information between departments, business units or even shared services within the enterprise. Does your CSO get a briefing from the CISO or CIO / INFOSEC staff on what the latest threats mean to you, such as cyber heists using ACH fraud?

This complacency is an internal threat that continues to amaze many and reinforces what few people truly understand about risk management. The adversaries utilize asymmetric strategy against unsophisticated targets to perpetuate their crimes and overall threats to people, processes, systems and deposit accounts. They are the modern day equivalents of "Bonnie & Clyde", Al Capone with a dash of Al Gonzales all rolled up into a massive threat that is increasing exponentially:

Two Romanian Citizens Extradited to the United States to Face Charges Related to Alleged Phishing Scheme

A phishing scheme uses the Internet to target large numbers of unwary individuals, using fraud and deceit to obtain private personal and financial information such as names, addresses, bank account numbers, credit card numbers, and Social Security numbers. Phishing schemes often work by sending out large numbers of counterfeit e-mail messages, which are made to appear as if they originated from legitimate banks, financial institutions, or other companies.

The investigation leading to the indictment stemmed from a citizen’s complaint concerning a fraudulent e-mail message made to appear as if it originated from Connecticut-based People’s Bank. In fact, the e-mail message directed victims to a computer in Minnesota that had been compromised, or “hacked,” and used to host a counterfeit People’s Bank Internet site. During the course of the investigation, it was determined that the defendants had allegedly engaged in similar phishing schemes against many other financial institutions and companies, including Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay, and PayPal.

Risk Management 101 talks to the X and Y axis with X representing the frequency of risk and Y representing the severity (impact) of the risk. So using the four quadrant model, the lower right box is where low risk times high frequency incidents occur. In the upper left box is where high risk times low frequency incidents occur. Got it.

As a CSO in your organization, where do you spend your time, resources and personnel in terms of their training, awareness and work efforts? Think about it for a minute. Most of you would probably say, "Well we focus on the High Frequency times High Risk incidents, the upper right box of the Risk Management model." Practice and prepare for the incidents that happen often and you will have employees who have no clue on what to do the day that something from that upper left box impacts your organization. The HIGH RISK x LOW FREQUENCY incidents are where you remain most vulnerable.

Arlington Man Sentenced 36 Months for $40 Million Ponzi Scheme

ALEXANDRIA, VA—Preston David Pinkett II, age 70, of Arlington, Va., was sentenced to 36 months in prison for engaging in a massive Ponzi scheme that raised more than $40 million in fraudulent payments from investors. Pinkett was also sentenced to three years of supervised release and ordered to pay $18,774,989 in restitution.

The two years that most frauds are conducted before they are discovered tells most risk managers that even effective accounting and audit controls can't catch these white collar criminals before it's too late. The high risk low frequency incidents are the greatest impact on your institution and yet little or no resources, training or attention is paid to these threats to your reputation and economic livelihood.

Now let's take this step further into what practices you have with exiting employees from your business. Are you conducting exit interviews? Are you examining all of the employee's digital assets for the presence of anti-forensics or the ex-filtration or theft of sensitive, proprietary trade secrets or intellectual property from the corporation? Both of these steps are necessary regardless of the person leaving and the circumstances why they are leaving your institution.

The utilization of "Remote Digital Forensics" and other centralized shared services such as this can provide your Business Units and even suppliers with capabilities that they don't need to staff internally. The technologies and resources exist today to address the stealth of fraud, the crisis stemming from industrial espionage or the disgruntled employee stalking those who they perceive as the reason for their dismissal.

An effective internal approach to high tech and advanced Operational Risk Management as it pertains to the rapidly changing landscape of smart, educated and daring people shall include a robust intelligence and audit capacity. Without it, the transnational eCrime syndicates or the internal employee threat will prey on your vulnerabilities of complacency, lack of training and apathetic approach to the design, configuration or implementation of your systems.

operational risk

Threat Management Team: Preemptive Risk Strategy...

The Corporate Threat Management Team (TMT) has been busy this past year and your employees are consistently seeing new and startling behavior beginning to emerge. These small and versatile task forces within corporate Operational Risk committee members include the Chief Security Officer, Human Resources (EAP), Ethics & Compliance, General Counsel and Chief Information Officer or Privacy Officer.

Assessment of threats in the workplace that include violence, sabotage, financial fraud, homicide or suicide are growing in the current economic environment and the Board of Directors are on alert. The Board has a daunting responsibility to provide the enterprise stakeholders:

• Duty to Care
• Duty to Warn
• Duty to Act
• Duty to Supervise

Threat assessment is a legal responsibility by corporate management and directors but this is not anything new per se. What may be trending upwards and at an alarming rate is the litigation associated with continuing job losses in many states across the United States where the stimulus programs have not stopped the erosion of employment opportunities. This in turn exacerbates the pressure on existing employees who are being held hostage by employers to do more with less and the stress factors in their jobs produce extreme and sometimes bizarre behavior. Just ask Dr. Larry Barton about the subject of corporate threat assessment:

Despite sound recruitment practices, any employer may encounter situations in which colleagues are worried about their safety because of the actions or statements made by a co-worker. The person at risk could be a current employee, former associate/contractor, disgruntled customer, investor or other person who makes or constitutes a threat to your most vital resource - your human capital.

This (Threat Assessment) approach employs strategies that have been successful in a variety of situations, including:

• an associate being stalked by a spouse or former partner


• an employee who states that he or she is experiencing significant mental deterioration or who has thoughts of self-harm or homicide


• altercations between co-workers and/or with a supervisor that are escalating in tone and severity


• serious changes in attitude and performance with known or suspected substance abuse factors


• social networking, blog and other means of electronically threatening an individual or team

Having personally witnessed Dr. Barton's methods and approaches, the science and his applications are sound. The strategy for implementation is based upon several decades of experience and encompasses the legal framework necessary to sustain the scrutiny of law enforcement and the courts.

The actions that are utilized to address a growing threat by a person in the workplace takes a dedicated team, with the right tools and information at their fingertips. Making split second decisions based upon a lack of documented evidence, protocol failure to a set of written policies or just the wrong timing can open the doors for substantial and costly plaintiff suits.

Achieving a Defensible Standard of Care in the reality of today's volatile enterprises requires a sound governance strategy execution combined with new resources and tools to properly prepare for those almost certain legal challenges. Combining effective "BioPsychoSocial" subject matter expertise, along with the right people from legal, security, investigations, internal audit or corporate risk management can produce successful outcomes for "At Risk" employees and the entire enterprise.

This brings us to the next point regarding how a particular employee was allowed to get to the point of "No Return" in the workplace. Put on your thinking caps for a few minutes.

Whenever you have a Threat Management Team assembling to interdict a serious danger to the company, you immediately start to converge on the motive or reason why the person has or is acting against company policy or behaving in a threatening manner. It's natural to do so, as most people want to know what's causing the issue. Be careful. What seems to be the cause is only known as the "Proximate Cause." Do you really understand the "Root Cause" of the failure of people, processes, systems or some external events?

The analysis, investigation, documentation and presentation on what happened and why is the hard stuff. Getting to the "Truth" and getting answers to the "Root Cause" requires another team of specialty practitioners. These independent, outside risk advisory professionals should not be from any current or existing corporate supplier, auditor or management consultant. They truly need to be the independent, unbiased and diligent entity to discover the truth and to document the root cause of the incident. The goal is to eliminate the future threat and to mitigate any risks that may still be "lying in wait."

Corporate Management and Boards of Directors must continue to move to the left of the proximate cause on the risk management spectrum to be preemptive, proactive and preventive. Each dollar invested here with the correct and smart resources with independent viewpoints will return nine dollars in savings from the reactive costs of hiring outside counsel and playing damage control on the corporate reputation.

operational risk

26 Wall Street: Risk Management Ground Zero...

Today President Obama speaks from the same place in Wall Street that the U.S. government has some of it's roots as a nation. The topic on this anniversary of the demise of Lehman Brothers is risk management. This ground zero of managing credit, market and operational risk in one of the financial capitals of the globe brings several topics to the discussion table. Liz Moyer makes the point:

It's been a year since the $600 billion bankruptcy filing of Lehman Brothers and the financial market meltdown that forced the government into a multitrillion-dollar rescue of the U.S. banking system.

But for all the talk and hand wringing (and billions in direct government equity stakes in major banks and loan and debt guarantees) there's also been little real progress on how, or if, Washington might regulate its way out of this kind of mess in the future. Don't expect that to change anytime soon, as markets become more, not less, complex and interconnected.

If the American public has witnessed substantial up hill battles with reform for health care, they can be assured that the "Financial Services" lobby will be even stronger. The regulation of institutions such as so called alternative investment firms (hedge funds) has many of them already leaving the U.S. for safer havens overseas. The trading will continue and the people behind the unique investment vehicles are getting even more creative. Investors are now buying up the pools of insurance products that have to payout upon peoples deaths. Life insurance settlements are being bundled and sold just as toxic mortgages and the bets are on with these products, just as they were with the housing market. Are people living longer or dying sooner? I guess that depends on where you live, what you eat and what your family history is.

The creativity of trading new and exotic products will continue and the watch dogs will have their hands full trying to figure out where to regulate and what agency should have the oversight. Free market capitalism as the regulator has already proven that it doesn't work. Consolidation of agencies that focus on the regulation and compliance enforcement of the financial services and investment industry is a tremendous risk in itself. The systemic root cause of the greed, compensation exploitation and the financial product innovation lies with some very smart people. The same people who can make a major difference in managing risk in their institutions going forward.

Regardless of the instruments that are invented for trading and the people who trade them, they all rely on one thing. Software and escalating requirements for more computing power, Terabytes and Petabytes of storage and the operational risks associated with information moving around the planet at almost light speed. Information and bits of data that can influence decisions on the buy or sell strategies, is only as good as the mathematics and the algorithms coded into software.

The oversight of future financial products and the ability to take new offers to the market must have people looking at the math and the code. The systemic risks that erupted in the world markets over a year ago are a result of a complexity of systems and the speed of change in our connected economy. All of the transparency, accountability and reform of compensation packages will not impact the zeros and ones that make up the sophistication of the trading markets.

A single consumer financial protection agency will make the consumer feel better that the government is looking after them. It will modify behavior in the innovation and it may even close the gaps in the current rule sets. However, the operational risks associated with the confidentiality, integrity and assurance of information will continue to rise. These risks are consistently displayed in the public press and websites such as the Identity Theft Resource Center:

There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:

• Data on the Move
• Accidental Exposure
• Insider Theft
• Subcontractors
• Hacking

Yet operational risks such as these are only a piece of the total risk management equations as it pertains to Wall Street, International Banking and the so called systemic risks talked about today as the Washington Post says:

Warning that "history cannot be allowed to repeat itself," President Obama urged Wall Street on Monday to help jump-start a stalled effort to overhaul the U.S. financial regulatory system and head off a potential reprise of the U.S. economic crisis.

Visiting New York on the first anniversary of the nation's biggest bankruptcy, Obama used a speech at Federal Hall at 26 Wall St., site of George Washington's 1789 inauguration, to rally support for regulatory reform and call on the financial community to take responsibility for avoiding the abuses and failures that led the nation into a financial crisis last year and triggered a global recession.

Our greatest threat is complacency as was indicated today in the context that we do nothing as a result of the failures of people, processes, systems and external events.

operational risk

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is on every Operational Risk Management executives mind these days. The recent milestone conviction under the Economic Espionage Act of 1996 in the United States marks the starting point for accelerated investigations by the counter intelligence and OPSEC units of major public and private organizations:

A former Rockwell and Boeing engineer from Orange County was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket.

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being that exploits the vulnerabilities in the design, configuration or implementation of the layers of defense. This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the internal insurgency within the organization.

The Operational Risks that the OPSEC team is focused on these days has to do with data leakage prevention (DLP) and insider threat prevention and data exfiltration prevention capabilities. As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences can be just as effective as the newest software running on the fastest computer box. One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees? Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation, thereby allowing the investigator to focus upon the person most likely to be guilty.

Organizations spend thousands of dollars if not hundreds of thousands doing what are called background investigations. These are many times outsourced to 3rd parties to provide a level of comfort that the person they are going to hire is a person with integrity and has not committed any crimes or lives a lifestyle that is not commensurate with the policies and regulations of the organizations hiring and employment practices.

The Integrity Interview is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

Specifically, the following areas are assessed during the interview:

Employment History
Theft and Related Activities
Work Related Alcohol Use
Violations of Company Policy
Recent Use of Illegal Drugs
Criminal Behavior

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies regarding digital assets and cyberspace access to organizational data repositories. Individuals who have the characteristics associated with deception could be the target of a further investigation to determine whether any unauthorized information has been sent to a webmail account or if a 4 GB Thumb Drive happened to be plugged into a corporate laptop the night before the last day on the job.

This low tech method may be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure will not be able to thwart a diligent, patient and trusted insider. Utilizing Behavioral Interview Analysis can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their 4GW strategy on the cyberspace front of corporations and governments worldwide. Just ask Jeffrey Carr:

The Cyber Domain consists of inter-related threats (financial crimes, espionage, network warfare) that have traditionally been segmented off to different agencies with their own siloed areas of responsibility. What is needed, however, is a unified approach to collection and analysis that mimics the non-traditional, multi-faceted strategies used by non-state actors in both cyber and kinetic conflicts. Project Grey Goose was our proof-of-concept.

Economic espionage and attacks on nations states critical infrastructures requires a substantial shift in policy and taxonomy if we are ever going to be effective in defending ourselves. GreyLogic may be on the right track when it comes to educating those who need it so that they can make the leap to be "Wired for War." While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware" we can only hope that OPSEC is conducting the behavioral analysis interview. A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secret in the brief case at their feet.

operational risk

Social Engineering: Duplicity of Twitter Risk...

The use of commercial-off-the-shelf (COTS) software applications and the revolution of Cyberspace virtual hardware devices connected to the "Cloud" has proactive Operational Risk professionals "burning the midnight oil". How many of your Executive Management and other employees with roles and access to sensitive proprietary information are using Twitter today? Did any of them update their Facebook profile last evening indicating their next travel stop? Are any of these individuals part of the corporate Mergers & Acquisitions team?

The use of social networking tools is not new when it comes to networking with colleagues or updating the professional experience history. What is less well known is how foreign intelligence agencies and competitive intel units from commercial enterprises are utilizing these products and solutions to perpetuate their collection of human and program information.

One only has to watch Tony Gilroy's latest movie "Duplicity" with Clive Owen and Julia Roberts to better understand the risks to corporate and national security. Gilroy's sequence of the Jason Bourne series to Michael Clayton and now Duplicity and "State of Play" all have very important lessons for us. Here is the Duplicity synopsis:

Julia Roberts working for the CIA and Clive Owen working for MI6 play competing undercover corporate high level top secret business spies who may or may not be conning each other. The movie shows us what lengths mega corporations will try and go to keep their new product information out of the hands of their competitors. The spies in this case will not even acknowledge their relationship as a sly parallel to regular relationships. The implication here is that most people do not say or trust themselves in relationships, but as spies Julia and Clive have good reason to be wary. Multi continent travels, many plot twists and counter twists follow. The music is light locations are beautiful and evokes the Ocean's movies and fun is had by all even if you can't always follow the plot.

Are you following someone on "Twitter" that is with one of your competitors? Do you know all of your followers personally? Who is in your supply or customer chain that may be leaking vital information before it's ready for "Prime Time"? What is the point. Hypothesis? Let's see if this makes any sense:

Lockheed Martin has thousands of suppliers. Each of those suppliers is interested in selling their products or services to LMT's competitors to increase their own market share. VirTra is one of those suppliers and provides the following capabilities to Lockheed:

(OTC:VTSI.PK), today announced
that VirTra has received another order from Lockheed Martin Simulation Training
and Support business for VirTra`s newest and smallest Threat-Fire device, the
Threat-Fire II.

The Threat-Fire II is a clip-on return fire simulator, similar in function to
the Threat-Fire belt; however, the Threat-Fire II is designed to clip-onto an
officer or soldier`s duty belt. The Threat-Fire II is not only small and
lightweight to be unobtrusive, but it is also rechargeable and compatible with
VirTra`s wireless system.

"We are thrilled that Lockheed Martin has ordered our very latest Threat-Fire
II. Our Threat-Fire line of return fire are highly effective simulation training
aids and it is an honor that an industry pioneer like Lockheed Martin Simulation
Training and Support continues to order VirTra`s unique training devices,"

You can get to this press release from following this Twitter page and you ask yourself why would this person be tweeting about Lockheed Martin or VirTra's deal with them?

• 
  

• Name Shannon C.
• Location Las Vegas
• Bio Smart woman, outgoing. Making my way in the world.

1,691 Following

1,313 Followers

VirTra Receives Fourth Order from Lockheed Martin Simulation ... http://bit.ly/1ZNuVz27 minutes ago from twitterfeed

A quick Open Source search reveals that she is a Sales Manager at Harrahs/Rio in Las Vegas. Whether she got this information on the VirTra deal because she is following someone or one of her followers sent her this "Tweet" on the press release does not matter. She could have read this information in the local newspaper or on the RSS feed she has set up for tracking the Defense Industrial Base companies doing business together. What matters is the relevance of this information and the speed that it is currently being known by many, not just a few.

There is no law prohibiting the "Tweeting" of public information as long as the so called public information is not subject to some national classification scrutiny or some kind of insider information for the review of the SEC. What is more likely is that she is like millions of others on the web who are using social networking to drive you to a web site that is being driven by advertising or some other multi-level marketing offer.

This is just one small illustration of the power and the vulnerability that exists with the COTS software operating in our planet's virtual digital cloud today. How we apply it's use for the good or the bad of humanity is up to each of the humans behind the keys on the PDA, Blackberry or PC. Therefore, just as the Internet has spawned the age of transnational economic crime, child pornography and cyber extortion plots so too will these same tools on our mobile devices be leveraged to do us potential harm or good.

Viral Marketing is here to stay and the use of these new age tools to spread the word on a new product, a new stock offering or the sighting of a celebrity on Rodeo Drive in Beverly Hills is exploding:

• 
  

The Ponzi scheme and related investment Pyramid schemes, are early examples of viral marketing. In each round, investors are paid interest from the principal deposits of later investors. Early investors are so enthusiastic that they recruit their friends resulting in exponential growth until the pool of available investors is tapped out and the scheme collapses.

Multi-level marketing popularized in the 1960s and '70s (not to be confused with Ponzi schemes) is essentially a form of viral marketing in which representatives gain income through marketing products through their circle of influence and give their friends a chance to market products similarly. When successful, the strategy creates an exponentially growing network of representatives and greatly enriches adopters. Examples include Amway and Mary Kay Cosmetics among many others.

• 
  

Tom Olzak offers us some great perspective on how to deal with the inevitable digital wave upon us:

Defending against the inevitable

Trying to adequately control new employee use of public social networking by simply telling them to stop is futile, although use of these sites should be addressed in the company’s acceptable use policy. And employee behavior can be modified somewhat by awareness training, but behavior is what it is. Some employees will continue to act in either careless or malicious ways, especially if motivated to do so. However, there are still things you can do, in addition to basic security controls, to mitigate risk, including:

1. Block use of public social networking sites from the office is my strongest recommendation. This will help protect your data or social engineered information, about your company or network, from finding its way directly from the employee’s desk or your network, to either a social networking site or a friend met at such a site.
2. Implement DLP (data leakage prevention). Know where and how your data is moving. If an online ‘friend’ of one of your employees happens to gain access because of sharing activities, you will be able to block data loss or at least know it’s happening.

Keep your eyes and ears open to what you are saying at the local restaurant or on the phone in the lobby of that big metro area hotel. It could be known to your competitors or your enemies within a matter of minutes.

operational risk

Health Care: Operational Risk on Steroids...

Health Care Sector Operational Risk Management is on the front burner once again. Recent changes to federal law governing health information suggest expanded regulation, increased enforcement, and significantly enhanced penalties could be on the horizon for businesses not previously subject to HIPAA. The Health Insurance Portability and Accountability Act (HIPAA), which was amended by the American Recovery and Reinvestment Act of 2009 (ARRA) in February, regulates the use of, access to, and dissemination of healthcare information. The increased scrutiny of our own health related personal identifiable information is only the beginning of a national platform for health care. Personal health records will be highly sought after by criminal organizations to help them with extensive online extortion schemes so they can monetize the stolen information.

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Transnational economic crime syndicates that have been fueled by the failures in systems and people at institutions in the financial services industry may now be getting a better source to perpetuate their wave of extortion . Just think about the phishing e-mail that goes out to the hundreds of thousands of people who have a particular type of medical condition or are taking a specific drug to help a particular medical diagnosis. Revealing the names, occupations and other relevant information on the subset of male politicians running for office that are currently taking the Pfizer drug for ED or the subset of women talk show hosts that are taking the drug Xanax may have some individuals willing to pay up the 500 or 1000 dollars being demanded from the criminals that stole the Protected Health Information (PHI).

As the United States speeds along towards the consensus on a national health care system the risk of health care data breaches will be rising. Where a doctor had a small staff helping with the back office to bill insurers and where the health care information systems vendors were in high demand you will now have the nexus of targets that cyberspace criminals will be focused on. Like the consumer retailers who rely on third party credit card processing companies to take care of the millions of annual point-of-sale transactions, so too will the consumers of health care services at the retail level. Doctors offices, pharmacies and out patient or triage centers.

The HHS and FTC interim rules were mandated by more stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities.

"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the HHS Office for Civil Rights.

HHS and FTC said their rules were intentionally written to be harmonious with one another. The entities covered by either rule have up to 60 days to notify individuals whose information was accessed without authorization. If the breach involves PHI belonging to 500 or more people, entities must alert the media and either HHS or FTC, depending on which rule they are subject to. If the breach involves less than 500 people, the entities must keep a log of the incident to be submitted to either HHS or FTC at the end of the year.

Unlike the motive to utilize the information from a compromised credit card to monetize through additional fraudulent purchases, the new health care criminal syndicates will find their own niches. Whether there is a continued attempt at utilizing the PHI for spear phishing attempts at specific individuals online or a more broad use of PHI to steal ones identity to obtain health services at hospitals or physicians offices, the impact could now turn more deadly:

Medical identity theft is potentially lethal to its victims. When the identity thief obtains medical treatment, medical records are created in the name of the victim. When treatment occurs in the same locality as the victim, the treatment of the thief can be appended to local medical records of the victim. With the strong movement towards electronic medical records, all those under the victim’s name and social security number can be collated in seconds. Once the thief’s medical records are collated with the victim’s, there is a risk of mistreatment of the victim, which can potentially lead to death.

Lind Weaver, a retired school teacher, was harassed by a bill collector for a medical bill for the amputation of her foot. The problem was that Weaver still had two feet. Foot amputations are associated with diabetes, a disease that Weaver did not have. Months later Weaver suffered a heart attack, when she awoke in the hospital a nurse asked her which type of drugs she was taking for her diabetes. Had Weaver underwent heart surgery as a diabetic, mistreatment could have been life threatening.

Protected Health Information will continue to be a challenge for those institutions that are trying to achieve a "Defensible Standard of Care" in the decade ahead. The wave of risks associated with online banking and the technologies driven by consumers thirst for financial information will seem non-consequential compared to what we are about to experience in the online health care industry.

operational risk

Business Resilience: Beyond Readiness...

The continuity of your telecom operations is an operational risk that in many cases is underestimated until a significant business disruption occurs. When telecom is down, this means a combination of voice and data services that serve your business enterprise may not be available. The resilience of both the voice and data communications is the holy grail of continuity of operations and disaster recovery professionals on a global basis.

Business Resilience and the ability to effectively anticipate or absorb the impact of an incident, whether man made or as a result of a natural phenomenon differentiates your suppliers. When is the last time you tested your Tier I service supplier for a mission critical business process to determine the ability to keep their voice and data services running during a time of crisis? And maybe more important, is your own enterprise Incident Command system survivable so that you can provide voice leadership to your "Incident Commanders" where ever they may be located?

Until now, telework, disaster recovery and business continuity professionals have primarily been limited to expensive, hardware-based, or location-specific solutions that remain inherently vulnerable. TeleContinuity’s end-user driven and “virtual” service solution is predicated on turning the traditional disaster recovery and business continuity model on its head. Instead of focusing on protecting centralized telecom infrastructure and equipment-based assets; pre-planning for employee relocation; and location-specific solutions designed to enfranchise only a select number of key executives -- TeleContinuity assumes the entire telecom capability of the enterprise is wiped out and that all employees and key executives are individually scattered to a myriad of undetermined locations.

Unencumbered by the traditional telco infrastructure mentality or by the business agendas of telecommunication hardware or IP equipment vendors, TeleContinuity’s founders synthesized the best design elements of PSTN, Internet, and dynamic call center technologies to create a seamless, ubiquitous, and fully resilient outsourced services solution. There is no equipment to buy. We do not touch the customer’s PBX. A customer does not need to change their carrier relationship.

Additionally, TeleContinuity can provide your organizations all the capabilites that they need on a daily basis so that you can work remotely from any location with access to the infrastructure that makes your data and voice applications usable.

Telecontinuity is just one good example of how to make your organization more business resilient. As we approach the middle of the Hurricane season here in the U.S., you can understand why having energy to power systems is an important aspect of most COOP discussions. This simple yet valid argument for back-up power has been going on for a decade or more. Yet not until the last several years as Iraq, Afghanistan and other places that have been the result of some of our most horrific displays of "Mother Nature's" wrath on domestic urban infrastructure has energy innovation become commercialized.

White Door offers a proprietary line of portable towers systems fueled by non-traditional power sources. These self-powered towers can be rapidly deployed to satisfy physical security and communications requirements in areas where conventional power is not readily available or too expensive to deploy.

Utilizing alternative energy power sources including solar panels, wind turbines and hydrogen fuel cells, the towers have been designed to power communications and security systems for both long term and short term requirements. Completely independent of the power grid, they eliminate the costs of trenching and physical bandwidth provisioning, are flexible to place and relocate, and easily upgraded because they utilize COTS (commercial-off-the-shelf) integrated security and communication systems. These mobile trailer-towers offer an effective, reliable and energy efficient platform to power mission critical applications anywhere in the world.

White Door provides resilience to the warfighter, first responder or the corporate enterprise in their quest for alternative power and communications capabilities. When it comes to planning for the next Hurricane Katrina or the "Tip of the Spear" overseas operations readiness, resilient business organizations need to implement robust planning, exercises and systems to be able to overcome the operational risks that are before them.

Power blackouts are the catalyst for many risks to the critical infrastructure including Transportation, Internet, Voice commmunications and even those services that you take for granted like pumping gas at the local petrol station or emergency services at the local hospital. September is DHS Preparedness Month in the US and the focus is once again on the physical readiness of our nation.

There is however another facet of readiness that is slowly getting attention across the landscape of data systems blackouts, such as the mission critical applications we utilize almost everyday such as Online Banking and Voice Over Internet Protocol (VOIP) for voice communications. Cyberspace as we know it is so embedded into most of the mission essential aspects of business today that our readiness factor needs to go well beyond redundant power supplies and battery back ups for power. Cyber-Readiness is a key component of any organizations plan to stay resilient in the face of a Distributed Denial of Service Attack (DDOS) and other cyberspace exploits that disrupt our operations.

Federal prosecutors on Monday charged a Miami man with the largest case of credit and debit card data theft ever in the United States, accusing the one-time government informant of swiping 130 million accounts on top of 40 million he stole previously.

Albert Gonzalez, 28, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they say his illicit computer exploits ended when he went to jail on charges stemming from an earlier case.

Do you think you're spending too much time with your team planning and training? You haven't. Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong. The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful in their strategy execution. Their missions will be accomplished on time and within budget.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

operational risk

Cloud Security: OPS Risk in a Virtual Infrastructure...

"Cloud Computing" is heating up as the information centric business enterprise looks for new economic strategies to reduce costs, save energy, and share expensive resources. Cloud Security is getting into the discussion simultaneously as the lobbyist alliances make their way around the "Obama Beltway." The Cloud Security Alliance held it's symposium this past week at Mitre to set the stage for it's 501(c)(6) activities in the federal agencies.

Welcome to the topic of more effective "Operational Risk Management" as an increasing relevant strategic mandate for the future of enabling enterprise business resilience and achieving a defensible standard of care. Cloud Computing is already here and rapidly accelerating into the way business is leveraging the economies of scale, efficiency of provisioning new users, lowering energy and overhead costs and rapidly gaining new found applications. Why wait around for the IT department any longer? All the headaches of procuring, maintaining and supporting the physical infrastructure of large Information Technology operations is seemingly going to disappear. Or is it?

What once could be called that minor headache could quickly turn into a major migraine or subarachnoid hemorrhage. When a data breach, denial of service (DoS) or business disruption occurs it will most certainly be on a more massive scale that requires a substantial response to contain the bleeding. If you thought disaster recovery and continuity of operations (COOP) was something you could ignore until you ultimately had an incident, that mindset is certainly over.

Attack on Twitter Came in Two Waves

By Jenna Wortham

The meltdown that left 45 million Twitter users unable to access the service on Thursday came in two waves and was directed at a single blogger who has voiced his support for the Republic of Georgia in that country’s continuing conflict with Russia.

Facebook’s chief security officer, Max Kelly, told CNet that the attack was aimed at a user known as Cyxymu, who had accounts on Facebook, Twitter, LiveJournal and other sites affected by Thursday’s cyberassault.

In an interview with The Guardian, the blogger said he believed the strike was an attempt to silence his criticism on the behavior of Russia in the conflict over the South Ossetia region in Georgia, which began a year ago on Friday.

How did a targeted attack against a single user manage to cripple Twitter for almost an entire day?

As Cloud Computing takes businesses into a greater degree of "Domestic Outsourcing" the risk factors change along with the legal risks of 3rd party or 4th party liability. Contractual service level agreements (SLA) that were used in the past for hosting a web site will be far greater in scope and with a table of loss events and their respective costs per incident by the minute of downtime. And this is just the beginning of the "What if's?" Some of these will be different than the normal offshoring risk management question sets.

Take eDiscovery and digital forensics for a minute. What is the difference between a lawful intercept and economic espionage? The name of the government behind it. With no perimeter and data everywhere who can say where your vital mission critical data actually is in the midst of the 100,000 sq. ft. server farm full of VMWare and racks of EMC storage? Even if you new exactly where it was located in the U.S., India or Singapore, what are the assurances that it is safe or safer than in your own facility? Even with 16 pages of security documentation controls and a SAS 70 Type II certification it may not be enough to defeat the "Fuzzing of VMware" and Hypervisor "Blue Pills".

At the MidAmerica Industrial Park in Oklahoma, amid a Gatorade plant, a pipe manufacturer and nearly 80 other companies, Google is piecing together a plain-looking 100,000-square-foot building it will stock with servers. Next to the industrial park stands a coal-fired electrical generating plant operated by the Grand River Dam Authority.

It helps that the price is right. Google's corporate headquarters sit in Mountain View, Calif. The average industrial electrical rate in the Golden State runs about 9 cents per kilowatt hour. In Iowa and Oklahoma, the meter runs at between 4 and 5.5 cents.

"Google is ... not the type of industry that is really dependent on location, since its product is Internet-based," said Justin Alberty, Grand River spokesman. "The real factors in choosing a location tend to be land, water and electricity."

Server farms, also referred to as data centers by the industry, are also becoming more common with the growth of "cloud computing." The term refers to companies building massive computing power and then renting that capacity out to other firms. Amazon, for one, sells not just books, but time on its servers to run Web sites or store electronic records.

In that way, computing is starting to look like the next utility. In the same way it would be inefficient for each home to have its own electrical generator, it can make sense for consumers and businesses to farm out their computing needs. Some analysts even see consumers buying less highly powered personal computers in the future and relying on firms like Google to fire up the necessary microprocessors when the demand requires.

Operational Risk is a key facet of Cloud Computing and the security of this growing IT strategy. Navigating the laws on the ground in advance of the unseen barriers in the cloud will provide the enterprise with significant hedges against the new emerging risks of the virtual infrastructure before you.

operational risk

Red Flags Rule: Reputations at Stake...

The "Red Flags Rule" is on the back burner in the United States until November 1, 2009. The Federal Trade Commission has delayed the compliance mandate again. Are you ready? Do you have to comply?

The Federal Trade Commission has postponed a deadline for many of the nation's businesses -- including banks, public utilities and health-care providers -- to comply with a controversial identity-theft prevention program.

The program, called the "Red Flags Rule," was to take effect Aug. 1 but will now be delayed until Nov. 1. The program is aimed at preventing the loss of billions of dollars as the result of the theft of consumer and taxpayer personal information. Under the regulation, companies and institutions would be required to establish a way to identify potential threats at the businesses, find ways of detecting such threats and install measures to prevent them. Employees would also have to be educated about the programs.

A survey commissioned in 2006 by the FTC revealed that more than nine million Americans have their identities stolen each year at a total estimated loss of $15.6 billion.

The nation is under a barrage of attacks from adversaries that lie in the shadows such as "Conficker" and other botnets or malware and business still delays the compliance measures asked of them. One only has to look deeply into the latest 2009 report from CISCO to better understand the state of risk from "Transnational Economic Crime":

Report Highlights

• Criminals are exploiting traditional vulnerabilities because they believe security experts and individual users are paying little attention to these types of threats.
• Compromising legitimate websites for the purpose of propagating malware remains a highly effective technique for criminals.
• Web 2.0 applications, prized for their ease of use and flexibility, have become lures for criminals.
• Criminals are now targeting online banking customers using well-designed, localized text message scams that leave virtually no trail in their wake.
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are similarly increasing efforts to enhance cybersecurity and prevent cybercrime.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly. According to research by Cisco, this is a clear sign that the security community is succeeding in making it more difficult for attacks to take root and grow.

Operational Risks are vast and the technology landscape is not getting more narrow, it is expanding. Cloud Computing is now the latest attempt to get cost savings and to make the IT puzzle less of an asset management nightmare. If you think that you understand it and where it's heading, think again. One only has to visit "Black Hat" and the briefings to get a better sense of what the true risks are going to be if not already. This one caught our eye and for good reason:

Nitesh Dhanjani

Psychotronica: Exposure, Control, and Deceit

This talk will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals.

Topics of discussion will include:

Hacking the Psyche: Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware.

Techniques on how individuals may be remotely influenced by messaging tactics, and how criminal groups and governments may use this capability, including a case study of Twitter and the recent terror attacks in Bombay.

Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages.

The risks to "Social Networking" Twitter-based consumers and the extended digital enterprise are vast. The CISO's and internal audit teams have been having their own internal battle for years and will soon realize that once and for all, they are on the same side of the Cyberspace war. The risks to the organization may come in the form of a major business disruption, denial of service (DOS) or even worse, a significant loss of consumer Personal Identifiable Information (PII). Even if you are considered PCI compliant just as "Network Solutions" was, the loss of reputation can be significant:

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

The "Red Flag" may have turned to a "White Flag" as you surrender to the lawyers and the federal oversight.

operational risk

FCPA: Modern Day "Smoking Gun"...

Corporate malfeasance is on the mind of most global executives today. Their enterprise is consistently fighting the economic challenges and at the same time defending it's reputation as new "Smoking Guns" are revealed. Perhaps these modern day discoveries of wrong doing should be renamed "Smoking Digital Evidence" because this is exactly what it is. Information uncovered through normal monitoring practices or as the result of a specific investigation produces "Red Flag" alerts based upon acceptable use policy or corporate rule sets.

These "Red Flags" uncovered in the context of programs devoted to processing digital evidence is now a standard Modus Operandi for corporate governance, legal and operations risk management. These new tactical business units are being developed in a rapid response to new regulatory and compliance mandates yet the greater pressure is coming from the wake-up calls senior executives have been receiving lately.

The Justice Department's probe of the credit default swaps market is reportedly focusing on Markit Group Holdings Ltd., the London-based supplier of prices in OTC derivatives, and its relationship to a group of major banks that own a stake in the company. The DOJ is scrutinizing the ownership of Markit by a group of banks that control a large amount of pricing in the $28 trillion credit derivatives market.

The banks have received a notice of investigation from the DOJ asking them for details on their trading activity, including how much they have at risk in the market and their monthly value of their credit default swaps, according to Bloomberg News. Banks that own the largest stakes in Markit, include: J.P. Morgan, Bank of America (through its acquisition of Merrill Lynch), Deutsche Bank, Royal Bank of Scotland which acquired ABN Amro, as well as Credit Suisse, Goldman Sachs, Morgan Stanley and UBS, according to Bloomberg News.

"The DOJ is looking to find any wrongdoing in that marketplace," commented Paul Zubulake, senior analyst at Aite Group in an interview with Wall Street & Technology. "Obviously that is going to open up a large can of worms," he said. "It will be costly for the dealers that have to battle the DOJ given the discovery issues, about all the information, emails and instant messages they will need to turn over."

Digital Forensics, Records Management and eDiscovery units at some of the largest financial institutions are working overtime. Finding any "Smoking Digital Evidence" will be the standard operating procedure on most international transactions whether it be in the financial services industry or even telecommunications:

Good news for compliance officers: You now have solid evidence that the benefit of implementing an effective compliance program far outweighs the cost, in the form of the massive Foreign Corrupt Practices Act settlements swallowed by Siemens AG and three of its foreign subsidiaries.

Siemens, a German conglomerate that is one of the largest engineering firms in the world, agreed in December to pay more than $1.6 billion to U.S. and German regulators for a massive bribery scheme that felled the highest executives at the company. Penalties paid to the Justice Department and Securities and Exchange Commission alone topped $800 million, by far the largest sanction ever imposed in an FCPA case.

In the following excerpt, Linda Chatman Thomsen speaks on the massive Siemens investigation: "Furthermore, the $1.6 billion total that Siemens will pay in these settlements is the largest amount that any company has ever paid to resolve corruption-related charges.

And that is fitting because the alleged conduct by Siemens was egregious and brazen. It was systematic, it involved thousands of payments, and it occurred over an extensive six-year period. Siemens created elaborate payment schemes to conceal these corrupt payments to foreign officials. The company’s inadequate internal controls allowed the conduct to flourish.

The details tell a very unsavory story: employees obtained large amounts of cash for Siemens’ cash desks; employees sometimes carried that cash in suitcases across international borders to pay bribes; payment authorizations were recorded on post-it notes that were later removed to avoid leaving any permanent record; there were slush funds and a cadre of consultants and intermediaries to facilitate paying the bribes.

Investigating this intricate scheme and righting Siemens’ wrongs has taken a remarkable and unprecedented level of coordination among many law enforcement agencies around the world."

The internal threat of employees, partners and so called in-country agents who help facilitate business deals is one square in the risk management matrix. The business transactions themselves are becoming part of the Venn Diagram that includes:

• Business & Global Commerce
• Personnel Security & Integrity
• Rule of Law & Litigation

As global institutions continue their expansion across the continents where capital follows security and the rule of law, so too will the attacks on the corporate enterprise.

operational risk

Trusted Systems: Human Factors in Play...

The case is U.S. v. Dreier, 09-cr-00085, U.S. District Court, Southern District of New York (Manhattan). It's only the beginning of a long hard road for many unidentified subjects (unsubs) as the fall out from the U.S. Economic crisis uncovers who was stealing others peoples money for their own fraudulent schemes.

Marc Dreier, the New York law firm- founder who pleaded guilty to defrauding hedge funds of more than $400 million, should be sentenced to 145 years in jail, prosecutors said, as a defense lawyer sought a term of as little as 10 years.

The rival requests came in court filings today in federal court in Manhattan. Dreier will be sentenced on July 13 by U.S. District Judge Jed Rakoff. Investors who placed more than $740 million with Dreier lost at least $400 million, lawyers said.

Operational Risks associated with 3rd party suppliers is a continuous concern. Effective due diligence with partners and service providers is a necessary task, on a quarterly basis. Many institutions leave it up to the service level agreement (SLA) or the written contract to be the monitor. To their demise, written words on a contract are not enough. Especially, when the partners are the lawyers themselves.

New York prosecutors on Wednesday said 13 people and a mortgage origination company have been indicted on charges of running a multimillion-dollar real-estate fraud that cheated lenders through sham sales.

The defendants include employees at the Long Island, New York-based mortgage company AFG Financial Group Inc, several attorneys and other defendants, according to Manhattan District Attorney Robert Morgenthau.

The investigation is continuing, and Morgenthau said the size of the scheme could eventually total $200 million.

One lawyer accused of engaging in fraudulent transactions was involved in transactions adding up to more than $100 million, Morgenthau said.

Lenders who were victimized in transactions made by that one lawyer included New Century Mortgage Corp, WaMu/Long Beach Mortgage Co, Countrywide Financial, First Franklin Financial Corp and Mortgage Network USA Inc.

The financial services sector will continue to be a quagmire for transactions for decades to come. The due diligence, fact checking and assurance that the "Deal" is a solid one will continue to under go a tremendous burden on all parties. The consumer, the lender and the underwriters.

The human factors associated with crimes such as fraud are well known. The study of the "Ponzi Scheme" has been a text book case for study in business schools for years. What may not have been so obvious is the science behind the human motivators. And maybe not even noticeable, is how accustomed the human is to trusting the automated world we live in. The fact that computers calculate what we have purchased in the retail store is one of the first trusted information scenarios we grow up with. How many people actually add up all of the dozens of items in their grocery cart, calculate the tax and any discounts to see if the Point of Sale (POS) system has done it's math correctly?

So what is Human Factors Science?

Human factors are sets of human-specific physical, cognitive, or social properties which either may interact in a critical or dangerous manner with technological systems, human natural environment, or human organizations, or they can be taken under consideration in the design of ergonomic human-user oriented equipments. The choice/identification of human factors usually depends on their possible negative or positive impact on the functioning of human-organization and human-machine system.

Did someone try to steal Goldman Sachs’ secret sauce?

While most in the US were celebrating the 4th of July, a Russian immigrant living in New Jersey was being held on federal charges of stealing top-secret computer trading codes from a major New York-based financial institution—that sources say is none other than Goldman Sachs.

The allegations, if true, are big news because the codes the accused man, Sergey Aleynikov, tried to steal is the secret code to unlocking Goldman’s automated stocks and commodities trading businesses. Federal authorities allege the computer codes and related-trading files that Aleynikov uploaded to a German-based website help this major “financial institution” generate millions of dollars in profits each year.

Trusted Systems and the information that flows from them is only as good as the programs that run them and the people who developed the millions of lines of code in the software. The trading systems at the NYSE, NASDAQ and Hang Seng Index are only as reliable as the calculations and the integrity of the systems themselves. When that trust is compromised in the trusted system, whether it be a program or a person, human factors take over.

operational risk

4th of July: Flying the Stars & Stripes of Freedom...

The U.S. (Uncle Sam) celebrates 233 years tomorrow. The Stars and Stripes of our flag will be flying high. How far we have come and yet we still envision that we have so far to go.

Celebrating the 4th of July in the United States means different things to different people. It all depends on your tenure here and how you have contributed to defending the freedoms we all share. And for those who have made the trip to our borders or overseas to defend our country, we give special thanks.

Two years ago we saluted Spencer S. on Memorial Day, as he prepared to make his way to being deployed to Iraq. He is still there now, an Airborne Medic and we are thinking about him and all those other families who have sent their sons and daughters, husbands and wives, brothers and sisters, or fathers and mothers into harms way to defend our freedom. We are humbled by your courage and thank you for your selfless contributions to keep us more safe and secure back home.

The Patriots of the U.S are vast and found everywhere, serving the country in uniform by military or law enforcement, in suits and ties or dresses among the halls of government agencies found in small towns and famous suburbs like Langley. These millions of patriots and citizen soldiers are working to defend the truth of the Declaration of Independence and our Constitution.

At the same time, they are all Operational Risk Managers, mitigating the daily risks to life, property and our vital economic assets. Mike Stanley of the American Legion captures the essence of the early days of our country:

The United States of America began as thirteen different English colonies established along the eastern seaboard during the 17th & early 18th centuries. Gradually many of the colonists began to think of themselves more as Americans and less as Englishmen, a feeling that was spurred on by the decision of the British Parliament in the 1760s to tax the colonies for the expenses associated with keeping them in the British Empire. Since the colonists had no elected representatives in the British Parliament, they felt that these new taxes were “taxation without representation” and therefore, illegal.

From this point, the situation escalated quickly as Patriot groups formed to discuss the possibilities, and by the early 1770s, the Patriots had their own Provincial Congresses in each of the thirteen colonies, effectively replacing the representatives of the British government. In 1775, the Second Continental Congress was established, the Continental Army was organized, and fighting broke out when the British responded by sending combat troops to the colonies.

Finally, on July 4, 1776, the Declaration of Independence was signed, establishing the United States of America. The fierce determination of the Patriots to prevail, plus the important military and political support of the French, the Spanish & the Dutch, insured an American victory, and in 1783, the signing of the Treaty of Paris ended the American War of Independence and guaranteed the sovereignty of the United States of America.

Conflicts in the 21st century will be fought for many of the same reasons, and with a revolution of robots. In P.W. Singer's latest book, "Wired for War" he prepares us for the next 100 years:

What happens when science fiction becomes battlefield reality?
An amazing revolution is taking place on the battlefield, starting to change not just how wars are fought, but also the politics, economics, laws, and ethics that surround war itself. This upheaval is already afoot -- remote-controlled drones take out terrorists in Afghanistan, while the number of unmanned systems on the ground in Iraq has gone from zero to 12,000 over the last five years. But it is only the start. Military officers quietly acknowledge that new prototypes will soon make human fighter pilots obsolete, while the Pentagon researches tiny robots the size of flies to carry out reconnaissance work now handled by elite Special Forces troops.

Wired for War takes the reader on a journey to meet all the various players in this strange new world of war: odd-ball roboticists working in latter-day “skunk works” in the midst of suburbia; military pilots flying combat mission from their office cubicles outside Las Vegas; the Iraqi insurgents who are their targets; journalists trying to figure out just how to cover robots at war; and human rights activists wrestling with what is right and wrong in a world where our wars are increasingly being handed over to machines.

Maybe someday, Spencer will be able to stay hundreds or thousands of miles out of harms way to defend our countries freedoms, because they won't need medics on the battlefield anymore.

operational risk

Digital Forensics: Right to Question CSI's...

The US Supreme Courts ruling in MELENDEZ-DIAZ v. MASSACHUSETTS will have significant impact on Digital Forensics expert practitioners. Legal cases utilizing the examination of computers and other digital assets containing relevant information will have more testimony by CSI analyst experts. The New York Times report by Adam Liptak says:

Crime laboratory reports may not be used against criminal defendants at trial unless the analysts responsible for creating them give testimony and subject themselves to cross-examination, the Supreme Court ruled Thursday in a 5-to-4 decision.

Noting that 500 employees of the Federal Bureau of Investigation laboratory in Quantico, Va., conduct more than a million scientific tests each year, Justice Kennedy wrote, “The court’s decision means that before any of those million tests reaches a jury, at least one of the laboratory’s analysts must board a plane, find his or her way to an unfamiliar courthouse and sit there waiting to read aloud notes made months ago.”

The outcome of the ruling for the prosecution is that forensic examiners and scientists will be more thoroughly scrutinized in the tests they perform. The process will require more effective documentation and the ability to play back for a jury exactly the process utilized to support any facts of evidence. This will not be difficult as Best Practices today are being utilized such as the video taping of the entire test and examination. Achieving a "Defensible Standard of Care" will however be even more of a priority for Operational Risk Management professionals.

The defendant will have the ability to cross-examine the analyst, whether it was making a determination on what the blood type was of the accused attacker or the date, time, and place that the defendant sent an e-mail from the office computer to a co-conspirator.

In the digital forensics environment, the ruling means that the subject matter experts will simply be spending more time in court and on the witness stand. This will impact the time it takes to conduct the trial yet the rights to examine the process, expertise and documented procedures for the evidence that has been introduced is an important issue.

From an Operational Risk Management point of view, this means that your eDiscovery and Digital Forensics certified examiners will be under the magnifying glass and subject to the questioning by counsel. We see an increased attention related in civil matters coming soon. Several states are asking that the outsourced entities associated with inspection of digital assets be licensed by the state itself, as a Private Investigator. This provision would subject the expert authority to also being legally certified in the knowledge of state laws pertaining to civil procedure, chain of custody and legal procedures on the handling of evidence.

The question remains on whether the Supreme Court Justice's were thinking beyond the test for the presence of a drug, as this case was focused on in MELENDEZ-DIAZ v. MASSACHUSETTS. The defense bar will be utilizing this ruling to go beyond the criminal courts to the civil trials where white collar cases are largely based upon the documents, e-mails and other digital evidence that has been retrieved using forensic procedures.

It will be interesting to see how this ruling impacts the professional licensing, certifications and documentation of examinations for the 21st century Digital Forensic "CSI".

operational risk

Proactive Risk Strategy: Transnational Asset Forfeiture...

Effective strategy execution and the application of intelligence to gain increased mission efficiency is the name of the game. The public / private convergence of people, processes, systems and the fusion of relevant international incidents data establishes the playing field. The threats to the very fabric of our economic and security well-being is directly tied to the rule of law, the safety of the environment and the ability for capital to be invested with prudent risk management mechanisms in place.

If any component of this fabric becomes frayed or torn, this vulnerability threatens the overall resiliency of this "Transnational Ecosystem". The homeostasis of the "Transnational Ecosystem" is dependent on the factors associated with it ability to gain new energy, (food, water, power, money) and to continually "Adapt" to it changing environment. The ability to adapt rapidly within this ecosystem will determine who the winners are and also the survivors. So what is a good example of this "Transnational Ecosystem" that we can apply to public / private convergence and Operational Risk Management?

Although pioneered in the USA, there now appears to be a global trend to use stand-alone civil proceedings as a means of recovering the proceeds of crime in the hope that they will be more effective than proceedings that are ancillary to and dependent on a criminal prosecution. Recent examples of jurisdictions that have introduced civil forfeiture legislation include Italy, South Africa, Ireland, the United Kingdom, Fiji, the Canadian Provinces of Ontario, Alberta, Manitoba, Saskatchewan and British Columbia, Australia and its individual States, and Antigua and Barbuda. In addition, the Commonwealth has produced model provisions to serve as a template for jurisdictions that wish to introduce such legislation.

This trend towards civil forfeiture has been prompted by the nature of organized crime. Organized crime heads use their resources to keep themselves distant from the crime that they are controlling and to mask the criminal origin of their assets. For this reason it has become extremely difficult to carry out successful criminal investigations leading to the prosecution and conviction of such individuals, with the result that finances derived from crime are often effectively out of the reach of the law and are available to be used to finance more crime. Such peaceful enjoyment of the proceeds of crime damages public confidence in the rule of law and provides harmful role models. This has led to a recognition that criminal confiscation regimes may be inadequate and ineffective in certain cases.

Traditionally, the use of OPS Risk strategies associated with civil asset forfeiture have their intersection with AML (Anti-Money Laundering) and Terrorist Financing. Moving money on a global basis utilizing the modern day "Hawala" or informal value transfer system requires smart people and sophisticated systems. Putting the person at the right place with the right evidence is the investigators "Holy Grail" yet there are other effective means for increasing that resiliency in the ecosystem.

The financial meltdown and economic crisis has impacted both the "Boy Scouts" and the "Wise Guys" on how to continue to prosper. The use of such tools such as Asset Forfeiture in combination with timely intelligence both Open Source and proprietary can provide the means for another effective Operational Risk strategy in a public / private consortium. The cooperation, coordination and collaboration of banking, hedge funds, broker dealers, insurance companies and private equity firms with federal and state task forces is a growing trend.

The mantra "Need to Know" is quickly being replaced with "A Responsibility to Provide" in the intelligence community and soon to be in the ranks of the financial private sector as it pertains to adapting to the transnational ecosystem. One good example of this momentum can be found in the rapidly growing education and awareness programs focused on this very subject:

Mission Statement

AssetForfeitureWatch.com is the indispensable source of news, information and training for law enforcement professionals and others working in the asset forfeiture field. At AssetForfeitureWatch.com, we understand that turning the proceeds of crime against criminals is one of the most powerful tools law enforcement agencies have for keeping communities safe, eliminating corruption, and crippling cross-border criminal enterprises. In offering training and education, an annual conference, live and Web seminars and an interactive community, AssetForfeitureWatch.com keeps its members on the leading edge of asset forfeiture strategy and practice.

The goal is to utilize the existing international legal framework to improve the resiliency of the "Transnational Ecosystem." Beyond the banking institutions are the governments and countries themselves who must make their decisions about their own business and commerce models. These havens across the globe will continue to exist because they don't have manufacturing capacity, IT outsourcing services or a port for trading and exporting raw materials. Therefore, they will continue to cater to the needs of suspect enterprises, non-state actors and even some rogue nations states.

So what is the lesson here? Reading between the lines. Assets in your portfolio, on your books, in the warehouse or even in your personal possession may soon be the property of a government entity near you.

operational risk

4GW: U.S. CyberSpace OPS Risk...

The Washington, DC beltway bandits are buzzing in anticipation of President Obama's selection for the next defender and policy maker for United States CyberSpace. We wonder what branch of the armed forces s/he will be associated with and to what degree they gain the agreement of the power base that CyberSpace is indeed a "Strategic National Asset", once and for all.

Meanwhile, OPS Risk Managers are dealing with transnational non-state actors (in some cases funded by nation states) that are robbing our private sector and government agencies blind. Stealing Personal Identifiable Information (PII), Corporate Intellectual Property, Defense R & D and classified State secrets. The next commander of U.S. CyberSpace has an even bigger job once the job starts; protecting and defending our country's vital Digital Infrastructure. This nexus of criminal, terrorist and irregular warfare is being waged on a 24/7 basis here in the homeland.

So how do you go about fighting this 4th Generation (4GW) war comprised of well organized, decentralized, clandestine subjects operating in the cyber shadows? This begins with creating an effective Information Sharing Environment (ISE), a fusion of who, what, when, how, where and maybe why. Defending the nation against the physical attacks of the likes of Al-Qaida or the virtual attacks from Yingcracker has some very interesting similarities.

If the next Secretary of U.S. CyberSpace is going to take the fight to those who wish to copy, delete, probe, scan, flood, bypass, steal, modify and spoof their way across our Digital Infrastructure, they could learn from this synopsis from Robert Haddick:

Does it take a network to beat a network?

On June 5 United States Joint Forces Command (USJFCOM) wraps up a week-long war game designed to test the Pentagon's vision of warfare in the future. The war game looks ahead to the year 2020 and examines how U.S. and allied military forces -- along with civilian government, non-government, and international institutions -- cope with a failing state, a globally networked terrorist organization, and a peer competitor. The results of the war game are supposed to influence the conclusions of this year's Quadrennial Defense Review, an in-depth review of the Pentagon's strategies.

Officials at USJFCOM won't discuss the results of the war game until at least July; many of the most interesting conclusions may remain classified. But the commander of USJFCOM, General James Mattis of the Marine Corps, described his vision of the future while delivering a speech at the Center for Strategic and International Studies.

Mattis discussed how today's adversaries have adapted to U.S. conventional military superiority by forming disaggregated networks of small irregular teams that hide among indigenous populations. United States military forces, by contrast, have only come under greater central control. According to Mattis, this shift is due to evolutions in intelligence-gathering and communications technologies. Call it the new iron law of military bureaucracies: when commanders gain the technical ability to micromanage, they will micromanage.

Mattis believes that in order to defeat modern decentralized networks, U.S. forces will have to become decentralized themselves. This will entail giving autonomy to and requiring initiative from the youngest junior leaders in the Army and Marine Corps. High-performance small infantry units, "a national imperative" according to Mattis, will need to operate independent from higher control, finding their own solutions to local problems as they implement broader policy guidance.

Whether the troops are fast roping out of helicopters or behind the flat screen detecting and analyzing the stealth cyber attack, the approach to defeating the adversaries is much the same. Infiltrating the "cells" and collecting valuable INTEL on the global enemy is what gives us the "Ground Truth." The commander for U.S. CyberSpace will soon be educated on the private sectors role in achieving this continuous and lofty goal of a creating more decentralized and clandestine citizen soldiers.

As the private sector battles the non-state actors for preservation and protection of valuable customer data, corporations are simultaneously being attacked by adversarial plaintiff lawyers.

U.S. insurer Aetna has been targeted in a lawsuit alleging it failed to protect personal information of employees and job applicants, documents indicate.

The lawsuit comes after Aetna, of Hartford, Conn., was struck by computer hackers to access a company Web site holding personal data for 450,000 current and former employees as well as job applicants, the Hartford Courant reported Wednesday.

The private sector would enjoy having our government involved in more proactive efforts to seek out and stop these criminal and terrorist entities that prey on organizations that remain vulnerable. The Operational Risks associated with litigation in the corporate enterprise are here to stay. If the public and private sector can once and for all coordinate, collaborate and "Share Information", we can disrupt, capture, prosecute and defeat our cyber adversaries.

operational risk

Continuity of Operations: Mother Nature or Active Shooter...

Continuity of Operations in the context of business gets on the Board of Directors agenda after every tragedy. Whenever the magnitude of the business disruption involves loss of life, or major property damage the executive management goes into "Crisis Management" mode. Unfortunately for many, this may be the only time the Board and corporate executives have tested or exercised for such an incident.

So what is Continuity of Operations? What does it mean to your business? How pervasive does this Operational Risk strategy have to be? Let's think about a simple process from the time a sales person picks up the phone to schedule an appointment to the time the product or service team has delivered or installed the items that have been sold to the customer.

In the context of university higher education, the process of recruiting, admissions, housing, fund-raising, sports and alumni relations. How many touch points, steps in the process or procedures for manufacturing, integration, sourcing, learning and implementation exist? Now think about your supply chain that provides the necessary resources, energy, infrastructure and people to make it all happen. Does this business issue seem like a trivial matter?

The aftermath of any major incident will require a thorough investigation to determine what happened. Everyone will have their version of what they saw, heard, felt and remember about it. Then the finger pointing, litigation and media frenzy begins. Only then do the Board of Directors and Executive Management wish they had practiced and exercised for the eventual day that has now landed on their front door step.

Such an example is in the news again, more than two years after the tragic day in April 2007 on the campus of Virginia Tech University in Blacksburg, Virginia. In Lucinda Roy's latest book, "No Right To Remain Silent", her opinions magnify the need for effective continuity of operations planning, exercises, auditing and testing:

After tragedies like this, people clam up. They are warned that it is too dangerous to talk about the specifics of a case when lawyers are chomping at the bit, when the media is lying in wait like a lynch mob. But people also remain silent when they are worried that what they have to say could injure them somehow.

In the days and weeks that followed the tragedy at Virginia Tech I was reminded of how much silence has to say to us if we listen with care.

Sadly, the tragedy at Virginia Tech did not usher in an era of openness on the part of the administration. Questions that related to the specifics of the shootings, to Cho, or to troubled students in general were viewed in the wake of the tragedy as verbal grenades.

Many of you may remember where you were when you heard the news. Just like you will always remember where you were on the morning of September 11, 2001. Yet April 16, 2007 could very well be more significant as the analysis and the investigation continues.

Sadly, we know how this story turned out: On April 16, 2007, Seung-Hui Cho shot two people to death in a Virginia Tech dormitory, then chained the doors to a classroom building shut and methodically killed 30 more before committing suicide. It was the worst school shooting in American history.

Who knew what when? The litigation is ongoing and some still are seeking the truth. Proving the truth will require substantial analysis of tens of thousands of documents, e-mail messages, hand written notes, depositions, medical records and school work. Yet when it gets boiled down to the facts and the issues, "Continuity of Operations" protocols, practice and preparedness will be at the core of the matter.

Does your organization have facilities where an all hazards approach is talked about and is continuously aware of the threats to life and property along with the economic implications of any business disruption? If you have people and property in California the answer is yes. Earthquakes, brush fires and now even the lack of government resources are existing risk factors. If you have people and property in or near symbolic locations such as New York City's Wall Street, Washington, DC's Capitol, or the St. Louis Arch then your organization should have heightened situational awareness and crisis management mechanisms already in place. The whole State of Florida, North & South Carolina, Louisiana, Texas and others who know the aftermath of Hurricane Katrina are sensitized to the requirements for effective preparedness.

So what is the difference in an event such as the "Active Shooter" scenario on your campus or the catastrophe sent by "Mother Nature"? The answer is the accuracy in predicting the event itself. All the preparedness for either event starts with the mind set that it will happen. Only one can be prevented, preempted or neutralized before it can cause harm.

Sadly, the Report of the (Virginia Tech) Review Panel to the Governor, issued in August 2007, contained important inaccuracies, despite the panel’s best efforts to get to the truth. University officials, it now appears, may have been less than candid and forthright in their responses to the questions put to them by the panel.

operational risk

SOC: Statement of Truth...

Global transnational organizations who provide executive security protective details are on the rise. Corporate personnel who must travel to high risk regions of the globe realize the requirement for a minimal, yet comprehensive security envelope.

Back at the "Security Operations Center" (SOC) you will find a team of subject matter experts working in concert, to continuously enhance the Operational Risk Management matrix. One set of analysts are tasked with the media review and intelligence collection from Open Sources. One example could be CNN or even more regional sources such as Alhurra:

Alhurra (Arabic for “The Free One”) is a commercial-free Arabic language satellite television network for the Middle East devoted primarily to news and information. In addition to reporting on regional and international events, the channel broadcasts discussion programs, current affairs magazines and features on a variety of subjects including health and personal fitness, entertainment, sports, fashion, and science and technology. The channel is dedicated to presenting accurate, balanced and comprehensive news. Alhurra endeavors to broaden its viewers' perspectives, enabling them to make more informed decisions.

Another set of analysts are sifting through online intelligence portals such as Opensource.gov or Data.gov . However, when you have a specific executive who is traveling to a specific country there are more detailed plans and advance work that takes place. These facets of corporate enterprise risk and operational risk management are vital to protect human assets and the ongoing continuity of business operations. Situational awareness enhancement is a 24/7 x 365 day process.

Whether your business takes you to Pakistan, Mexico or South Africa the risk of bombing, H1N1 or criminal elements are a real potential threat:

Rob Watson of the BBC reports on the latest explosion in Lahore:

What is striking about this latest attack, and so worrying for the Pakistani authorities, is the timing and choice of target.

It occurred near the offices of both the local police chief and of the national intelligence agency, the ISI, and comes as the Pakistani military is engaged in a massive campaign against militants in the north-west. So the initial speculation is that this is in some way a revenge attack.

Questions will again be raised about the inability of the authorities to stop the attack altogether given they were clearly expecting reprisals and were on a heightened state after the two other recent attacks in the city.

Executive Protection Detail's have been utilizing the compendium of wisdom and research that is found in Gavin De Becker's latest publication, "Just 2 Seconds" and for good reason:

Think of every assassination you've ever heard about. For most people, a few of these major ones come to mind: Caesar, Abraham Lincoln, John Kennedy, Martin Luther King, Mahatma Gandhi, Indira Gandhi, Anwar Sadat, John Lennon, Israel’s Prime Minister Rabin, Pakistan’s Benazir Bhutto.

From start to finish, all of these attacks — combined — took place in less than one minute. And the hundreds of attacks studied for this book, all of them combined, took place in less than a half-hour. Those thirty minutes, surely the most influential in world history, offer important insights that can help today’s protectors defeat tomorrow’s attackers.

Operational Risk is far more pervasive than detection of fraud, mitigating the loss events from internal information theft or intellectual property. It's been said here in the blog before and it's worth repeating again this statement of truth:

"Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result to obtain their objective."

Whether you utilize this statement within the context of your digital domains, physical domains or the vast set of processes within the enterprise, it does not matter. What does matter, is that those individuals responsible for the survivability and the defensible standard of care of the organization, never forget it...

operational risk

OPS Risk: Military Lesson for Wall Street...

Air Force Brig. Gen. Mark W. Graper, the 354th Fighter Wing commander at EIELSON AIR FORCE BASE Alaska has captured the essence of Operational Risk Management. Corporate Executives and mid-level management should have this made into a poster for their office and hanging in every hallway:

Summer is just around the corner, and many of us are planning for our favorite warm weather activities - fishing, hunting, hiking, motorcycling, camping and more. All of our summer plans can be fun if we keep in mind the basics of operational risk management: Accept risk when benefits outweigh the cost; accept no unnecessary risk; anticipate and manage risk by planning; make risk decisions at the right level; assess and mitigate risk. Stated more simply, have a (prudent) plan, have a backup plan and have a wingman.

Whether you are focused on the safety and security of your personnel, the integrity and confidentiality of your information or the continuity of your business operations it's a fact that effective "Operational Risk Management" will improve your organizations resilience factor. The brilliance of Brig. Gen. Graper's emphasis on this subject away from the flight line or "The Office" , is his understanding that most of us will become more complacent the minute we hit the parking lot. You see, OPS Risk is not just something being advocated in the workplace. It's just as pervasive at home or in our own leisure activities. Whether you are climbing "Denali" or entertaining friends around the backyard pool, you have to be continuously in OPS Risk mode, or it could bring harm to life, limb or your own reputation.

Operational Risk includes the risk of litigation and there is one item you can be certain that is a threat to your corporate integrity. Employees, partners and suppliers to your organization:

Freddie Mac investors have filed expanded court claims accusing the mortgage finance company and three former executives of committing fraud by misleading them about risky loan practices and manipulating financial results.

The allegations, contained in a nearly 300-page court complaint filed late on Tuesday, are based in part on interviews with more than 100 former company employees and others who are described in the lawsuit as having knowledge of Freddie Mac's operations and finances.

One of the unnamed employees cited in the lawsuit is a former director of operational risk management at the company, who was quoted in the complaint as saying that Freddie Mac was an "appallingly run company" and that it was clear as far back as August 2007 that its capital position was inadequate.

"CONFIDENTIAL WITNESSES"

Other so-called "confidential witnesses" cited in the complaint include a former Freddie Mac vice president of investor relations and an ex-senior examiner with the Office of Federal Housing Enterprise Oversight, the company's regulator, now part of the newly formed Federal Housing Finance Agency.

What most organizations the size and complexity of Freddie Mac under estimate, are the speed of change and the socially "connected" market economy. The blur of business combined with the "Holistic Blindness" of what risks are a threat today or this week, can bring an enterprise to it's knees and then to it's ultimate demise.

Whether it's buying and packaging financial assets to sell on Wall Street or keeping your F-22 Raptor in the air to defeat hostiles, OPS Risk is the differentiator. Your survival depends on it.

operational risk

Economic Impact: Hedge Funds Beware...

In a recent ACFE study on the impact of an economic recession, the results are eye opening. More than half (55.4 percent) of respondents said that the level of fraud has slightly or significantly increased in the previous 12 months compared to the level of fraud they investigated or observed in years prior.

Additionally, about half (49.1 percent) of respondents cited increased financial pressure as the biggest factor contributing to the increase in fraud, compared to increased opportunity (27.1 percent) and increased rationalization (23.7 percent).

The survey also found that:

Employees pose the greatest fraud threat in the current economy. When asked which, if any, of several categories of fraud increased during the previous 12 months, the largest number of survey respondents (48 percent) indicated that embezzlement was on the rise.

Layoffs are affecting organizations' internal control systems. Nearly 60 percent of CFEs who work as in-house fraud examiners reported that their companies had experienced layoffs during the past year. Among those who had experienced layoffs, almost 35 percent said their company had eliminated some controls, while 44.2 percent said the layoffs had no effect on controls and only 3.2 percent said their company had increased controls.

Fraud levels are expected to continue rising. Almost 90 percent of respondents said they expect fraud to continue to increase during the next 12 months. Additionally, the fraud most expected to increase is embezzlement.

These results are not too surprising. Internal control systems could be an issue if there are layoffs in the risk management departments or reallocated enterprise resources. The embezzlement schemes come in many forms and they know where and what areas will be neglected in oversight during the economic belt tightening.

Most of these fraudsters are brilliant "con men". They know how to prey on the human factors of greed and fear. Powerful emotions must be monitored by a "Corporate Vigilance" and awareness program. This preempts potential breaches and crisis incidents that will ultimately impact personal and corporate reputations.

Three factors are generally accepted as being necessary for a fraud to occur: pressure, opportunity, and the ability to rationalize illegal behavior. Unfortunately, the presence of each of these factors may rise in periods of economic hardship. Organizations and individuals alike can experience the pressure of increased financial strain. Opportunities for fraud could proliferate as many companies cut their workforces and otherwise reduce expenditures, perhaps leading to reduced internal controls and fewer proactive fraud prevention measures. And bombardments of bad financial news could cause mounting feelings of helplessness, pessimism, and isolation, which may, in turn, allow individuals to rationalize previously unthinkable acts.

So what can you do to detect early the potential existence of a suspected fraudster in your organization without subjecting current employees to retribution or put them into harms way? One effective strategy is to hire an outside entity to perform ongoing interviews and investigations that is independent of the internal audit department or OPS Risk staff. The other step is to compartmentalize the unit in terms of information exchange and to increase overall operational security.

Harry Markopolos, who is responsible for investigating Bernie Madoff for 8 or 9 years did exactly this and for good reason. His team was operating in the field under his direction and was kept secret even while he was talking to the SEC. Why? Some of the off-shore funds Madoff was doing business with were only a few steps removed from organized crime, according to Markopolos. If these firms new that Mr. Madoff was stealing them blind, they could have put some adversarial actions into play.

Once the fraudster gets the indicator that any one is getting close to the point of questioning their behavior, you can bet the evidence will begin to be destroyed or masked. This destruction of evidence can begin with simple deleting of e-mails, documents or the creation of new e-mails or data to mask or cover up the trail of fraudulent activities. This is when the use of Digital Forensic examinations on weekends or evenings while employees are away from the workplace can help reveal the presence of "Anti-Forensics."

The presence of anti-forensic tools to cover their tracks, e-mails or where they are visiting on the Internet might be the first sign that you may have an actual fraud scheme in operational mode. Hidden or encrypted files found on an employees laptop or desktop utilizing unauthorized sofware tools or downloaded freeware is a huge "Red Flag."

It's important for any investigator to consider the human factors and the behavior associated with people under pressure and close to the end of their hidden occupational fraud operation. These typically have been going on for up to 24 months before they are discovered and you can be sure that they have thought about the day when they are finally discovered. The fight or flight mode kicks in at this point and organizations are obligated to mitigate the risks of harm to fellow employees.

Effective Corporate Integrity units in global enterprises require the right internal resources, independent outside expertise and a comprehensive OPS Risk framework to be more successful.

Hedge Funds have been on alert for months now. Marc Dreier, the New York law firm founder accused of defrauding hedge funds by selling $700 million in phony promissory notes, might face life in prison after pleading guilty to fraud charges.

According to prosecutors, victims of the fraud included Amaranth Group Inc., Perella Weinberg Partners, Eton Park Capital Management LP, Concordia Advisors LLC, Novator, Meyer Ventures LLC, Blackstone Group LP’s GSO Capital Partners and Elliott Management Corp.

The case is U.S. v. Dreier, 09-cr-85, U.S. District Court, Southern District of New York (Manhattan).

operational risk

Human Factors: Early-Warning System...

Predictive Intelligence And Analytics From 1SecureAudit Provides Transnational Organizations With A Preemptive Human Factors Early-Warning System

According to Managing Director and Chief Risk Officer of 1SecureAudit, Peter L. Higgins, the complexity of today's extended global enterprises requires a new governance lens to view hidden insider risks and to guide management executives to achieving a defensible standard of care.

"Our newest consulting practice accelerates the time line in identifying employee insider risks and potential threats associated with international client transactions," said Higgins. "Ms. Marcia Branco is launching our new client offering with more than a decade of experience identifying the complex connections between human behavior and corporate operational risk responsibility."

Advocating a "People First" approach, Ms. Branco, vice president, practice director of the Predictive Intelligence and Analytics practice, believes corporate personnel; partners and suppliers represent a tremendous asset and simultaneously a significant legal liability to a business. "People are the primary focal point to better understanding and resolving systemic risk problems within the walls of the enterprise and beyond to the extended supply-chain," said Branco.

The Association of Certified Fraud Examiners affirms "U.S. organizations lose an estimated seven percent of annual revenues to fraud," and insider negligence is the highest cause of data breaches, reports the Ponemon Institute & PGP Corporation. The complexity and quantity of insider threats is growing at the same time as businesses are facing shrinking budgets and mounting pressures to maintain and grow profits with fewer resources. "How successful has your company been at identifying and swiftly addressing issues, conflicts and preventing malfeasance? Whether originating internally from an employee or contractor or at your extended border of partners, suppliers and clients, predictive intelligence is essential?" asks Higgins.

1SecureAudit provides critical assessments, internal investigations, strategy execution and program development. These proactive governance and advisory services generate positive change to business culture, operations and bottom line.

"Our distinctive 'People First' approach examines your organization's human capital assets to gain unique insights on corporate culture, company issues and the workforce's attitude about management and business initiatives. We convert these human factor data into predictive intelligence to preemptively determine how to best shape current and new corporate strategies. Our clients are able to take advantage of short-lived opportunities, attract and retain employees, partners and customers, demonstrate a more defensible standard of care and promote a trustworthy corporate reputation," stated Branco. "Does your organization consistently adhere to and enforce corporate policies, ethical standards and procedures that value your employees and respond to shareholder advocates?"

Working with 1SecureAudit to integrate predictive intelligence in any business strategy and practices is a sound investment that directly contributes to corporate management's, Board of Directors', and shareholders' peace of mind. For more information, visit 1SecureAudit.com or e-mail RDU (at) 1SecureAudit.com.

operational risk

Predictive Intelligence: Data or Precogs...

The use of the term "Predictive Intelligence" has been around for a few years. Born from the marketing collateral of the Business Intel (BI) vendors. Essentially, get a whole bunch of GB's of historical data and then use some new tools to mine it for so called insight. The question is, why is this predictive intelligence and not just more "Information."

Now introduce the nexus of "Human Factors". The unexplained behavior of people influenced by environment, interaction with other people or even the substances people put inside their body. Whether it's the coffee kicking in, the hangover from last nights Monday Night Football party or the latest argument with your spouse, it influences your perceptions on information.

Christian Bonilla may be on to something here:

Professionals in the foreign intelligence community take pains to distinguish between information and bona fide intelligence. Any piece of knowledge, no matter how trivial or irrelevant, is information. Intelligence, by contrast, is the subset of information valued for its relevance rather than simply its level of detail. That distinction is often lost in sector of the enterprise technology industry that is somewhat loosely referred to as Business Intelligence, or BI. This has become a bit of a catchall term for many different software applications and platforms that have widely different intended uses. I would argue that many BI tools that aggregate and organize a company’s information, such as transaction history or customer lists, more often provide information than intelligence. The lexicon is what it is, but calling something “intelligence” does not give it any more value. In order to sustainably outperform the competition, a company needs more than a meticulously organized and well-structured view of its history. Decision makers at all levels need a boost when making decisions amidst uncertainty and where many variables are exerting influence. They need what I would call predictive intelligence, or PI – the ability to narrow down the relevant variables for analysis and accurately measure their impact on the probability of a range of outcomes.

What does the fusion of human factors have to do with predictive intelligence? That depends on how much you value the kind of innuendo and messages in the Tom Cruise movie, Minority Report. Many aspects of the original Philip K. Dick story were adapted in its transition to film that was filmed in Washington, DC and Northern Virginia. Is it possible to predict someone's future behavior even before they commit a crime or become violent?

Set in the year 2054, where "Precrime", a specialized police department, apprehends criminals based on foreknowledge provided by three psychics called "precogs".

Cruise plays the role of John Anderton who is part of the experimental police force known as "Precrime." These aspects of clairvoyance and precognition has many skeptics and their use for predicting future events or a related term, presentiment, refers to information about future events which is said to be perceived as emotions.

Regardless of terms, beliefs or whether the software analytics are using historical data, the science of "Predictive Intelligence" is about forecasting the future. Based upon the recent global events that missed the forecast of economic implosion based upon historical data, maybe it's time to start introducing more human factors to the equation.

The interviews with people who have gone on record to predict a future historical event will probably be right at some point in time. How long will you be around to wait? The demise of General Motors and the extinction of Lehman Brothers, Bear Stearns and maybe even AIG were most likely predicted by someone, somewhere. The point is that you have to have context and relevance to the problem being solved or the question being asked.

Predictive analytics extracts information from data and attempts to forecast the future. It relies on capturing relationships between explanatory variables and the predicted variables from past occurrences, and exploiting it to predict future outcomes. Is it possible that there was and is too much reliance on the numbers and not enough on people's intuition?

This blog has documented the "11 Elements of Prediction" in the past. Now it's time to utilize the combination of these human factors in close collaboration with the data analytics and numbers. Effective execution of both will provide corporate management the situational awareness they seek within the time line they wish.

operational risk

Economic Impact: Proving the Truth...

The Madoff investigations into so called "feeder firms" are now gaining momentum. The question on who are the victims and where fraud is suspected continues it's due course. The process of client referrals is not a crime and allegations that correlate this with fraudulent behavior is a flawed mindset. The current basis in the Merkin case has more to do with non-disclosure of where clients money was actually invested:

Andrew Cuomo, the New York attorney general, yesterday filed civil fraud charges against the hedge fund manager Ezra Merkin, alleging he secretly channeled more than $2.4bn to Bernard Madoff's Ponzi scheme in exchange for lucrative fees.

The move is the second regulatory action in two weeks against one of the big so-called "feeder" funds that sent billions of dollars to Mr Madoff, who pleaded guilty to one of history's biggest investment frauds.

Mr Cuomo accused Mr Merkin, a leading figure in the New York charity community and former chairman of financing company GMAC, of steering money from charities, universities and non-profit organisations to Mr Madoff without their permission and reaping about $470m in fees for his three funds.

"Merkin duped individual investors, non-profits and charities into believing he was responsibly managing their investments, when in actuality he was dumping them into history's largest Ponzi scheme,'' Mr Cuomo claimed yesterday.

Operational Risk professionals in these hedge funds and other alternative investment firms are getting prepared. These organizations will continue to be under the regulatory spotlight for years to come. Fraud and the fear of fraud will make their potential clients even more diligent in their understanding of where their funds are being invested. The federal watchdogs, oversight mechanisms and civil law suits will require firms to have their risk management "Act" together.

When it comes time to prove the truth, whether innocent or guilty, it will come down to information. The likelihood that this information is housed in a database, e-mail system or off-site disaster recovery repository is almost certain. Digital information that is part of any inquiry for civil or criminal action is subject to the "Rules of Evidence" and the "Federal Rules of Civil Procedure." This is where most of the alternative investment firms have their greatest exposure and vulnerability today. Call it the "Readiness Factor".

In a groundbreaking case from the past year, Qualcomm Inc. v. Broadcom Corp., No. 05CV1958, 2008 WL 638108 (S.D. Calif. March 5, 2008), the court found the plaintiffs to have committed "monumental and intentional" discovery violations for failing to produce thousands of documents requested in discovery. The court cited the "impressive education and extensive experience" of Qualcomm's attorneys to justify significant sanctions for failure to produce relevant e-mails, including reporting to the State Bar of California.

The "Readiness Factor" goes far beyond the process or procedures for preserving evidence. It starts with the creation of information inside the organization. How is it classified, where is it stored and who has access to it? These are fundamental Information Technology and Records Management 101 questions that any prudent organization has already answered. Where most firms find themselves with their backs up against the "legal wall" has to do with relevance, authenticity, and admissibility of information.

The "Alternative Investment" industry is quickly learning that their own IT professionals are going to end up on the witness stand and in early depositions. They are going to be hearing questions such as:

• What policies or procedures do you manage in your department/organization?
• What training do you have on the collection and preservation of "Electronically Stored Information"?
• Explain your responsibility or supervision of access controls, folder management, indexing, purging controls and metadata?
• Describe the procedures your firm utilizes to identify the places, people (custodians) and quality of the data that has been preserved for this case?

The list continues and the IT professionals better be ready. Adversarial counsel will be digging deep to get after the key components of authenticity and spoilation issues. The unfavorable outcomes from a lack of readiness can produce an "Economic Factor" that far exceeds the cost of just finding and producing the information for e-Discovery.

The economic impact of proving the truth in any case can be significant. If you were a savvy and smart prosecuter, the cases that would filter to the top for scrutiny may very well be those firms that display the most "IT Immaturity." Getting some wins under your belt with some relevant case law could determine how fast future cases are settled far in advance of ever getting to trial.

For those "Alternative Investment" firms that are behind the 8 Ball, here is a good place to start your own discovery of the total cost of proving the truth. The E-Discovery Road Map.

operational risk

4GW: Irregular Warfare in the Homeland...

Why is the US House Armed Services Subcommittee holding a hearing soon that is entitled: "Terrorism, Unconventional Threats and Capability on Terrorism and the New Age of Irregular Warfare: Challenges and Opportunities"?

Here is one good reason:

Baitullah Mehsud, the leader of the Pakistani Taliban recently claimed responsibility for the deadly attack that took place at a police academy on Monday in Lahore, Pakistan. But that’s not all. According to Mehsud, the next attack is going to be much closer to home. In a phone interview with the Associated Press, Mehsud indicated that his terrorist organization was planning a devastating attack on Washington D.C. that would “amaze” the world. Heritage analyst James Phillips told Fox News:

It should be taken seriously because [Mehsud] has ordered the deaths of many Pakistanis and Afghans and has a close alliance with Al Qaeda. It’s not too much of a stretch to think he might be involved in an attack on the U.S. if he’s able to get his followers inside the United States. He’s a militant extremist whose threats cannot be ignored.

Though most Americans associate terrorist attacks with bombings, armed ground assaults can just as deadly and disruptive. The most dramatic recent example was the Terrorist attacks that took place in Mumbai, India last November, killing almost 200 people.

Ground assaults are not just a terrorist tactic that might happen over there. Over here, it has been less than two years since six terrorists were thwarted in their attempt to assault Fort Dix in New Jersey.

The 4GW (Fourth Generation Warfare) strategy is well over five years old. We are glad to see that one of the best on this topic will be at the Armed Services hearing on Capitol Hill. Let's hope John Robb gets an opportunity to outline the following:

Differences
Many of the methods used in 4GW aren't new and have robust historical precedent. However, there are important differences in how it is applied today. These include:

• Global -- modern technologies and economic integration enable global operations.
• Pervasive -- the decline of nation-state warfare has forced all open conflict into the 4GW mold.
• Granularity -- extremely small viable groups and variety of reasons for conflict.
• Vulnerability -- open societies and economies.
• Technology -- new technologies have dramatically increased the productivity of small groups of 4GW warriors.
• Media -- global media saturation makes possible an incredible level of manipulation.
• Networked -- new organizational types made possible by improvements in technology are much better at learning, surviving, and acting.

Corporations, Government Agencies and owners of strategic critical infrastructures owned by the private sector are continuing their vigilance in light of the 4GW emergence. More than ever the need for effective OSINT (Open Source Intelligence) gathering at the street level is imperative. Yet all the Humint and sensor based collection of data will not change the myopia of insight unless there is a rapid adoption of the new mantra: "Responsibility to Provide."

The "Responsibility to Provide" statement is rapidly replacing the old and ineffective rule of "Need to Know". Our adversaries realize that our "Need to Know" mentality is one of our greatest vulnerabilities and they will continue to exploit this weakness. Washington, DC is has just emerged from a period of coordination, cooperation and unprecedented effectiveness across legal, political and jurisdictional boundaries. The fact is that the 44th Presidential Inauguration bound together thousands of people across the country to keep our Nations Capital safe and secure in January. This mission was accomplished and the result has been ever so felt by those who were in the middle of the operational command centers, such as WRTAC, the Washington Regional Threat and Analysis Center.

WRTAC provides DC Metro partner agencies and local jurisdictions with a watch command, plus an Open Source Daily Brief of current news articles relating to terrorism, homeland security, critical incident response and public safety. The key factor here is "Relevance" on the ground level to your own community and the local assets needed to raise situational awareness.

If Baitullah Mehsud is telling the truth, then it is not so much a matter of "what" 4GW tactics will be utilized, it is a matter of "when."

operational risk

Unthinkable: Adapting in New World Disorder...

35 million electronic records of Personal Identifiable Information (PII) was exposed in 2008. Up 47% according to reports by the Identity Theft Resource Center (ITRC) compared to the previous year.

Will 2009 bring more data breaches, lost laptops and insider theft than 2008? You can bet on it and this is why CSO's, CPO's and General Counsels are getting their teams ready. When the enemy is increasing their attacks, utilizing new strategies and leveraging the existing base of compromised assets the picture is clear.

That suggests that many companies can significantly boost security and reduce their exposure by following basic and inexpensive measures. But even if your company has encryption in place (as Heartland did), don't rest too easy. "The sophistication and automation of financially motivated cybercrime is very steep today when compared with counter-efforts," says Ken Dunham, director of global response at iSight Partners, a provider of threat intelligence services. "Criminals are agile and able to outpace the rate of adoption of counter-technologies in the marketplace."

The motivation for cybercrime is even higher during economic hard times. A January report by iSight says that the economic decline in the United States and around the world will significantly increase the risk organizations face from employees who are laid off, fear being laid off, or face some form of personal financial trouble that may lead some to consider insider crime.

The insider remains a key focus for Operational Risk Management professionals because human behaviors are exaggerated during periods of stress, fear and uncertainty. This means that people who may not have any prior criminal history, have never considered doing something to jeopardize their reputations may now be up against a wall. When there is no exit and no way out, people do extraordinary things to get ahead, beat the odds and hedge their own risk portfolio of life. Study the women who have made decisions to strap on suicide vests or the dozens of "Mini Madoff's" yet to get their day in court. Both have similar attributes tied directly to human behavior.

In Joshua Cooper Ramo's new book "The Age of the Unthinkable", "Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system. "A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."

The key word in Ramo's writing is "Adapt". Being Adaptive. However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy fraud investigator on how she solved the case and you may hear just that, "I had a hunch." Talk with a Chief Privacy Officer in any Global 500 company and you might get them to admit they have a sense that their organization will be the target of a data breach incident in the coming year or two. The complexity of IT systems, data networks and the hundreds of laptops circling the globe with company executives is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern enterprise does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively. Once you realize that all of the controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

operational risk

Situational Awareness: Reality in ORM...

Situational Awareness has always been a key factor in effective Operational Risk Management and Real-Time Incident Command.

Situation awareness (SA) involves being aware of what is happening around you to understand how information, events, and your own actions will impact your goals and objectives, both now and in the near future. Lacking SA or having inadequate SA has been identified as one of the primary factors in accidents attributed to human error .

What you know and when you know it, can make the difference between life and death in the context of weather forecasting and the future Hurricane Katrina.

However, it can also provide you with the intelligence you need to save lives and avoid new risks as a more sudden and unpredicted threat unfolds. Whether it's the active shooter, disgruntled employee or a international hotel under siege, it should not matter. Let's take a minute and look at a sample time line on the Mumbai attacks in India last November 26th, 2008 from a situational report:

• Two terrorists have barricaded themselves in the Oberoi Hotel; 3 dead and 25 injured. 11/26/08 10:31 PST
• Terror strikes at 12 places in Mumbai. Up to 20 hostages held at Oberoi Hotel.
  11/26/08 11:57 PST
  
• Several British and American civilians among hostages at two hotels. Explosion reported at Taj Hotel. 11/26/08 13:59 PST
  
• Explosions and fire reported at Oberoi Hotel; clashes continue in multiple locations across Mumbai. 11/27/08 07:23 PST
  
• Indian elite commando chief is reporting that the Oberoi-Trident Hotel has been cleared of terrorist threat. 11/28/08 01:03 PST
  
• Counter-terrorism operations declared over; at least 195 killed in attacks. An investigation is underway. 11/29/08 16:06 PST

Look at the time stamps and the lag time between each one. The person writing these bullets for a "Flash" message to subscribers or people asking for text based updates was either not using all of the potential assets available to them, or they just did not think there was any relevance of the other information unfolding. This example of 1998 "Situational Awareness" reporting is not only dangerous, it's letting the "Grey Matter" get in the way.

The problem with most "Situational Awareness" capabilities is that the subject matter experts, commanders in the SOC/NOC, or the business CEO 2,000 miles away are letting the "interpreters" on the street in the heat of the crisis determine what is important.

The second issue and until now, is that the information is not "Real-Time". Let's solve this problem once and for all.

RealityVision™ software gives organizations something they have never had before: the ability in a crisis environment to instantly broadcast live video and other data from the scene that can be shared immediately with everyone who needs to see it, wherever they may be located and without any intervention on their part.

If you’re an individual who’s responsible for preventing or quickly resolving critical events that cannot be predicted, Reality Mobile enables you to quickly monitor and appraise situations remotely using continuous, live video, transmitted from field personnel using off-the-shelf devices and any commercially available network.

From terrorist threats to train derailments and traffic accidents, remote equipment malfunction and infrastructure damage, our RealityVision™ software puts you instantly in the know and in control. With RealityVision, you can now immediately create a shared perspective with all team members regardless of where they are around the world.

Your Operational Risk Management tool box is now up to date. Pay it forward.

operational risk

Compliance: Workplace Security, Ethics & Governance...

Bernie Madoff clones and the 11,000 other unregulated investment advisors across the US will be subjected to increased scrutiny in 2009 and beyond. The SEC, FINRA, US Treasury FINCEN, FBI and the tribe of banking regulators are all gearing up for audits, inspections and more granular forensic accounting examinations.

Fraud and the corruption of corporate America is hard to detect. Even more difficult when the watchdogs are too busy or without the resources to do the job effectively. Post Enron and the whole SOX wave of documentation, controls implementation and testing the Big Four Accounting firms were very busy.

The cases are among a series of recent alleged frauds at financial firms. While they have been handled differently, they have shined a light on loopholes in federal regulations, such as fragmented regulations governing brokers, investment advisers, auditors and other firms. And the cases have underscored obstacles facing authorities, including inadequate resources for detecting wrongdoing and difficulties in gaining access to foreign financial accounts.

"Reform is needed to close the existing regulatory gaps that expose investors to risk," said Richard Ketchum, chief executive of the Financial Industry Regulatory Authority, Wall Street's self-policing agency.

SEC Chairman Mary L. Schapiro is looking to work with lawmakers to overhaul the nation's financial regulatory system. This week, the SEC announced that it would partner with a government-funded research center to study ways to better assess the thousands of tips and complaints that come in each year. The House and Senate plan to consider legislation as early as late spring that would bring all financial activities under federal regulation. The details, however, aren't clear.

At the SEC, Schapiro plans a new focus on spotting fraud and other market manipulation early on. She plans to create a large team to seek out where abuses might be occurring. Then she plans to direct the SEC's limited examination staff toward those places. "We've got to be able to conduct risk assessment that allows us to understand where problems might arise and connect the dots between different problems in different places -- whether they're generated by different products, different firms or different trends in the economy," Schapiro said in a recent interview.

The internal threat to your institution by your own employees who may do you harm, intentionally or not is just a core factor in day to day Operational Risk Management. Where it gets more interesting to plaintiff lawyers is when there is a clear pattern of ignorance or just plain lack of resource allocation or funding to policing the organization. The even more vulnerable facet of the OPS Risk mosaic could be the supply chain of companies and people who represent the vital outsourced functions. How many mission critical components of running your business have you handed over to call centers, ISP and hosting companies, distribution and delivery, back office administration including accounting and payroll?

One of the key areas of due diligence long overlooked at these investment advisers is the supply chain of feeder firms. The alternative investment industry has it's reach into the accountants and tax advisory services for a good reason. They are the ones who prepare your tax returns. Their insight into your cash flow, ability to invest and necessity for potential hedging of tax liability gives them the opportunity to be great referral agents. How many times has your tax advisor recommended you go see a friend in the alternative investment industry?

Creating awareness among the ranks of corporate America that everyone is going to be under the magnifying glass won't change the motivators:

• Money
• Ideology
• Compromise
• Ego

Economic challenges inside the corporation or on the home front can increase exposure to heightened threats in the workplace. These include violence, fraud and product theft at a minimum. However, the greatest asset of value being attacked, stolen and sold to the highest bidder is information. Corporate espionage and good old fashioned competitive intelligence is a 21st century Operational Risk Managers nightmare.

Workplace Security, Ethics and Governance programs will continue to be a focus for auditors and inspector generals. A lack of evidence of effective and robust efforts to deter, detect, defend and document withing the confines of the institution could be a differentiator when it comes time for any sentencing guidelines to be considered.

§8B2.1. Effective Compliance and Ethics Program

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

operational risk

Future Risk: Citizen Soldiers Extinct...

It's not often that we see an editorial article that prompts us to get the scissors out of the drawer to cut it out of the Washington Post. This opinion by Matthew Bogdanos is worth some additional review from an Operational Risk perspective. He is a Colonel in the U.S. Marine Corps Reserves and an assistant district attorney for New York City.

"A nation largely founded on the citizen-soldier ideal finds itself, following Vietnam and the expulsion of recruiters from campuses, with the military and civilian worlds warily eyeing each other across a cultural no man's land. As budgets shrink future forces, veterans will be fewer and the chasm wider -- to our peril.

No one wants everyone to think and act alike. Diversity is a major source of our nation's strength. But this diminishing shared experience leaves us ill-prepared against global terrorism. As the British general Sir William Butler warned a century ago, "A nation that will insist upon drawing a broad line of demarcation between the fighting man and the thinking man is liable to find its fighting done by fools and its thinking done by cowards."

We will leave it up to the Operational Risk Managers of the globe whether to agree with Col. Bogdanos and his comments. What is our take away from his words about "Duties That Are Best Shared?" We think it's quite simple.

How can an "Operational Risk Manager" make effective decisions without having walked a few "clicks" in another persons boots? Effective decision support from the Incident Command Center is far more effective if the person making those decisions has relevant and first hand experience. Asking a new hired employee to take the week long orientation training without having done it yourself, is not only bad management, it's reckless governance of the organization.

Years ago after the invasion of Baghdad, this OPS Risk manager (Bogdanos) did what we do every day. He adapted, improvised and overcame risks in order to recover stolen artifacts from the museums. The investigation was successful because not only was he someone that had experienced what it was like to operate in a war zone, he also was a subject matter expert on much of what was recovered.

If you are going to be an effective risk manager, you have to train with your troops in the business unit or the base. You have to know first hand what you are talking about. Without these, "we risk a future without all of us working towards the same ends --whatever society decides those ends should be."
operational risk

CAG 17: Red Team ...

The Consensus Audit Guidelines (CAG) are now public and the 20 controls are vital to our enterprise business resilience. One stands out however that is not automated and requires a specific advance strategy. CAG: Critical Control 17: Red Team Exercises:

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they burrow deep and expand the number of systems over which they have control. Most organizations do not exercise their defenses so they are uncertain about its capabilities and unprepared for identifying and responding to attack.

This control goes beyond traditional penetration testing, which typically has the goal of identifying vulnerabilities and showing their business risks. Red Team Exercises are exercise in the traditional sense of military exercises where the three goals are improved readiness of the organization, better training for defensive practitioners, as well as inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.

We would like to emphasize the importance of this strategy execution beyond the IT and Information Systems within the organization. In any significant business disruption or "incident", whether it be the breach and theft of a database full of "Personal Identity Information" (PII) or the breach of a rear window of a corporate executives residence to initiate a kidnapping plot; the goal remains the same:

"Attackers use tools to exploit a vulnerability; to create an action on a target, that produces an unauthorized result to obtain their objective."

Think about it for a minute. Whether it be the online digital world or the offline physical environment your organization is operating in today; someone is probing and testing your vulnerabilities. The only possible way for you to discover them before your adversary is to continuously attack your own business and it's assets. And possibly most importantly, it must be done on a clandestine basis.

clandestine
1566, from L. clandestinus "secret, hidden," from clam "secretly," from base of celare "to hide"

What value can be gained from exercises or testing that is conducted with advance warning to your staff or team? Very little. To execute the "Red Cell" approach to effectively improve and to increase the resilience of your organization, the strategy execution must remain secret. Yes of course there will be people placed throughout the organization in key areas that know that the exercise or attack on the organization is a planned exercise. However, it is only for the safety and liability purposes along with the potential injection of simulations that increase the effectiveness of the vulnerability testing.

The CAG has 20 controls that are focused on Cyber Defense and 25% of these will require manual intervention, planning and effective oversight. Automated tools can only go so far to address the real goal of understanding human behavior during and after a "Real Incident" actually unfolds. In the context of using a Red Team exercise you must include the use of Gavin De Becker's "Elements of Prediction" with your employees and stakeholders.

1. Measurability - How measureable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the preincident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are compareable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This is how and where you extend your physical controls to the actual people who will make the difference before and during a critical incident in your enterprise.

operational risk

Oversight Risk: Evidence of Compliance...

In light of the tremendous announcements of corporate and financial malfeasance over the past few months, there is a "cramdown" in the works. The US Office of the Special Inspector General for the Troubled Relief Asset Program (SIGTARP) is gearing up.

The Office of the Special Inspector General for the Troubled Asset Relief Program ("SIGTARP") was established by the Emergency Economic Stabilization Act of 2008 ("EESA").

Under EESA, the Special Inspector General has the responsibility, among other things, to conduct, supervise and coordinate audits and investigations of the purchase, management and sale of assets under the Troubled Asset Relief Program ("TARP"). SIGTARP’s goal is to promote economic stability by assiduously protecting the interests of those who fund the TARP programs - i.e., the American taxpayers - by facilitating transparency in TARP programs.

Transparency and effective oversight in the TARP will be accomplished in coordination with other relevant oversight bodies, and by robust criminal and civil enforcement against those, whether inside or outside of Government, who waste, steal or abuse TARP funds.

The Special Inspector General, Neil M. Barofsky, was confirmed by the Senate on December 8, 2008, and was sworn into office on December 15, 2008.

As the new Stimulus Package works it's way to the local and state governments additional oversight will be placed on the bidding, procurement and contracting processes. Compliance with federal and state laws will become ever so vital as funds are applied under TARP in the mortgage markets and "shovel ready" projects are funded for maintenance and repair of critical infrastructures.

As the government ramps up to spend trillions of dollars to revive the economy, loopholes in federal law and a shortage of FBI agents assigned to investigate white-collar crime could lead to a big payday for perpetrators of mortgage fraud and other schemes.

That's the view of lawmakers who want to extend federal fraud laws to private mortgage companies that aren't regulated at the federal level, and provide $155 million a year to the U.S. Justice Department to triple the number of active mortgage-fraud task forces and help the FBI rebuild its white-collar investigation program.

So what should a Chief Compliance Office or Vice-President of Operational Risk Management at an institution be concerned with over the next few years? Get ready. First and foremost, the Board of Directors will be focused on "Corporate Governance Strategy Execution." Public institutions who have most recently taken on the role of becoming a more traditional bank in order to become eligible for government funds are most at risk. Some of these include traditional insurance companies and credit or charge card institutions. This is because they have not had the controls, staff and policy programs in place to effectively deal with all of the new banking regulations and compliance mechanisms the oversight agencies will be scrutinizing during their audits.

Securities and Exchange Commission Chairman Mary Schapiro plans to look into whether the boards of banks and other financial firms conducted effective oversight leading up to the financial crisis, according to SEC officials, part of efforts to intensify scrutiny of the top levels of management and give new powers to shareholders to shape boards.

As she examines what went wrong, Schapiro is also considering asking boards to disclose more about directors' backgrounds and skills, specifically how much they know about managing risk, said the officials,

As new sources of funding flow to the organizations for redistribution to consumers or small businesses the oversight process must be implemented up front. The human factors will play a tremendous role in how ethics are either applied consistently or are absent all together, in day to day operations. Boards of Directors will ensure that corporate management are injecting the correct amount of corporate governance and compliance management oversight to keep human behavior and red flags in check. Operational Risk Managers will be busy expanding their breadth and reach into the corporate enterprise for years to come.

operational risk

Executive Security: Personal Protection Specialist...

In the corporate Protective Security environment, the "Advance Work" will ensure your success or contribute to the embarrassment or injury of your client/principal. Professionals in Protective Security Detail's (PSD) realize that your site or lead advance agent can make or break the entire operational risk strategy for your proactive and preventive security measures.

Thinking like the DEVGRU attacker and possessing a "Red Cell" mentality is a valid approach for several aspects of the advance work necessary to ensure an effective "protective envelope". What ends up being the greatest threat to your operation may be technology itself. Too much reliance on new high tech tools such as "Google Maps" or even the Garmin GPS will create a vulnerability during the point in time when your principal says, let's change the itinerary or the location of the next meeting. A "15 Minute Map" comprised from a good old fashioned road atlas can be the low tech tool that saves lives and chaos.

21st Century Executive Security and modern day Personal Protection Specialist's (PPS) who understand the value of the "Advance" and apply it effectively will continue to keep their principal's safe and secure and with a high degree of professional client service. Corporations operating in countries where executives are required to visit critical infrastructure plants, manufacturing facilities or meet with government officials have been incorporating more protective intelligence and advance work for good reason. The global business environment is increasingly more volatile and subject to the political risks and subjective "Rule of Law" in many emerging economic countries.

Whether it is weapons in close range or a distance, explosive IED's or kidnapping plots, today's global and mobile executive is more at risk. Advance Work is the most important and critical aspect of the security operation. Site and route surveys, "eyes on" residences, airports and buildings including hotels, hospitals, police stations, restaurants and convention centers are a mandatory component of the advance operations.

Surveillance Detection (SD) remains a vital facet of the advance work including the ongoing SD as the Protective Security Detail agents run the operation. The Principal is potentially aware of such activity yet is shielded from any less than lethal imminent threats as the days agenda unfolds.

What may be more obvious is the PSD's use of "Coopers Colors:":

By using a well-practiced, concrete, formulaic train of thought, it prevents the hesitation normally experienced when one is under threat of attack or actual attack, and this is the purpose of the code, to prevent unnecessary hesitation, and to apply only that force which is necessary to defend yourself. The way Jeff Cooper explains it is:

White - relaxed and fairly oblivious of your surroundings, you should only be in this condition if you are at home or another secure setting behind locked doors.

Yellow - the state of not only constant awareness, but the constant recognition of possible threats. In this state, you are observant of your surroundings, allowing you to recognize threats if they present themselves.

Orange - in this state, you have recognized a potential threat, and are ready to defend yourself against this threat if necessary.

Red - you are actively defending yourself or others against a threat that has presented itself to you.

It's not just about general awareness, it's about positively identifying potential and actual threats as you go about your daily life. It's this threat identification and acquisition process that is so valuable, and that reduces your response time to those threats if they present themselves.

Executive Security and the Personal Protection Specialist (PPS) becomes an even more vital asset in the OPS Risk portfolio, where the Board of Director's has authorized significant premiums for an executive's kidnap and ransom (K & R) insurance. Why? Like many aspects of our society today regarding information privacy, one only wonders how information gets leaked from the confines of the corporate enterprise. Operational Risks to and from people in your organization exist everyday. Insuring against losses and protecting against loss events is imperative. Utilizing the correct strategy, tools and human assets to comprise the entire security envelope including the effective use of Protective Security Details can make all the difference in your organizations deterence factor.

operational risk

PII: Achieving a Defensible Standard of Care...

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. This incident is no different than other Operational Risk loss events to your global enterprise this year, such as occupational fraud or the settlement of a lawsuit. Correct?

This time however, the difference is that now your own employees or your customers are the victim. Their PII has been lost or stolen and your organization has been the safeguarding entity of that valuable data until now. Your response is vital and the way you legally and ethically behave is a significant risk factor in itself.

Your brand reputation in the marketplace is on the line and the potential churn in lost customers or employees is at stake. Like many post 9/11 companies, your crisis response protocol is already in place for incidents that require your senior executives and the establishment of an immediate Incident Response Team (IRT).

So why is lost or stolen PII such an important executive issue for any organization?

In privacy, PII is less restrictive than in Information security and one definition can be found in the EU directive 95/46/EC:^[1]

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

As your General Counsel and Chief Privacy Officer begin to assess the magnitude and breadth of your recent PII exposure, so too does the plaintiff lawyers. Now the clock starts ticking and each tick gets louder and louder, as different litigation strategies are discussed. In Board Rooms and judges court chambers across the United States, the Federal Rules of Civil Procedure (FRCP) and the admissibility of "Electronically Stored Information" (ESI) is being discussed as a legitimate component of evidence and it's relevance in the case.

What if you could now "Rewind" this scenario and find yourself in a "legal safe zone" to adequately prepare, prevent and even preempt a "Data Security Breach" in your organization. This "legal safe zone" is available today and is as close as your corporate executive conference room, with several "Subject Matter Experts" working side-by-side. It's a professional service solution from the data breach services leader, idexperts.

The "Achieving a Defensible Standard of Care" Readiness workshop in your organization begins with a two day facilitated process for discovery and convergence with your fellow company executives. You will be engaged in a proactive, preventive and preemptive tactical plan in preparation for the day of your next PII-involved Data Security Breach. Upon completion, this operational plan establishes the baseline framework for a complete team-based drill. This outcome will then test the readiness of your key stakeholders internally and external to the company. More importantly, it provides the strategic insight on what vulnerabilities still exist in your particular organizations approach to remediation and legal compliance.

Each year, despite security efforts, millions of personal records are compromised as a result of corporate and public-sector data breaches. Breach response costs - mandated notification, PR, call handling, credit monitoring and legal fees - can add up, yet traditional approaches don't fully mitigate the risk to your business or your customers.

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. The next one will be different.

operational risk

Vigilance: Human Factors of Complacency...

Two days from now, Washington, DC will be in the midst of a historic Presidential Inauguration and President Obama will be moving into his new house on Pennsylvania Avenue.

The day after, on January 21, 2009 our Operational Risk Managers from across the spectrum of government will be looking to set their respective agendas for the next four years. The outgoing administration is quickly getting their new offices set up with lobby shops and law firms to continue their power agendas. Some are headed to the private sector, to return to their roots in business.

Regardless of the complexity and the change factors associated with all of the political fan fare, there are still "Black Swan" risks to our economic and global vitality. These operational risks continue to interface with Homeland Security, the Department of Defense (DoD), Treasury, Justice, and the State Department priorities. It all exists with great anticipation.

The United States will continue it's quest to secure the homeland from foreign and domestic terrorism. She will defend our allies against the aggression by other rogue states or countries in political turmoil. She will work harder than ever before to help other nations rebuild or build the foundations for economic stability, democracy and the rule of law. So what has or will change in the next four years in the context of Operational Risk Management?

It's almost like the feeling when you lose a loved one, to some catastrophic event. Or hear the news from a co-worker that your boss is being indicted for some corporate financial malfeasance. There is a feeling of despair and uncertainty. The event and sudden impact brings on a form of decision paralysis. Everyone starts to question each other and there is a tremendous amount of finger pointing on what could have prevented or what caused the incident to occur.

What will change for Operational Risk and managing the current and yet to know "What If's" is that it can't be ignored any longer. In analyzing the 1-in-a-100-year event, people have to go far beyond the mathematical equations and start looking at human behavior. Operational Risk managers across our international governments and business will now realize that even the "Human Factors" in Operational Risk can't always be counted.


Writers Wilber and Smith from the Washington Post have this to say about a vital component of our continued national risk management vigilance:

"A special federal appeals court yesterday released a rare declassified opinion that backed the government's authority to intercept international phone conversations and e-mails from U.S. soil without a judicial warrant, even those involving Americans, if a significant purpose is to collect foreign intelligence.

The ruling, which was issued in August but not made public until now, responded to an unnamed telecommunications firm's complaint that the Bush administration in 2007 improperly demanded information on its clients, violating constitutional protections against unreasonable searches and seizures. The company complied with the demand while the case was pending.

In its opinion, a three-judge panel of the U.S. Foreign Intelligence Surveillance Court of Review ruled that national security interests outweighed the privacy rights of those targeted, affirming what amounts to a constitutional exception for matters involving government interests "of the highest order of magnitude."

Our greatest threat to national security or business and global economic welfare may well come down to the ability to mitigate complacency and a lack of vigilance. A high degree of complacent people, working in an environment of non-vigilance, could set the stage for those human factors to play a major role in exploiting our vulnerabilities as a business and a nation.

The weight of protecting our nation from economic tidal waves and well trained non-state actors is a tremendous responsibility. Operational Risk Management will continue to be a vital aspect of all the existing and new decision makers over the next four years. Becoming ever vigilant and eliminating complacency will keep us from falling victim to the risk of "Human Factors". Gods speed to the 44th Presidency!

operational risk

Managing the Business Risk of Fraud...

Operational Risk Management is in full swing at distressed institutions as the TARP funds continue to flow to these needy corporations. One thing is certain; you can expect increased oversight. The risk management mechanisms to determine how and where funds are being utilized will be the focus. Anti-fraud planning and investigative projects are on the radar of the Board of Directors and the Audit committee chair. The US government Anti-Fraud Task Force is gearing up:

Six more U.S. government agencies, including the Federal Reserve, will take part in a federal anti- fraud task force to strengthen its focus on uncovering mortgage and securities crimes.

Deputy Attorney General Mark Filip announced the expansion yesterday of the President's Corporate Fraud Task Force, which was formed in 2002. Joining the group are the Federal Housing Finance Agency, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Department of Housing and Urban Development and the Office of Inspector General for the financial industry rescue program approved last year by Congress.

"These new members reflect the breadth and depth of the mortgage crisis that we are now confronting and the urgency of the task before us," Filip said in a statement.

Current members of the task force include the heads of the Securities and Exchange Commission and the Commodity Futures Trading Commission.

Gil Soffer, associate deputy attorney general, said the task force expansion would let FBI officials coordinate with monitors of the Troubled Asset Relief Program.

"To be able to bring in our resources and to be able to tap into our expertise and to be able to work with our investigators and our prosecutors when there's criminal activity afoot, it's a tremendous boon" to TARP investigators, he said in an interview.

Congress passed the $700 billion TARP rescue package in October, and lawmakers have said oversight is needed to ensure the funds aren't misused.

The business of Fraud Risk Management has been spelled out for years and continues to be a high priority. Most Fortune 50 organizations have established sophisticated frameworks for addressing compliance, ethics and governance in their organizations. However, the question remains how well they understand their respective roles, responsibilities and jurisdictions. This organizational challenge is no different than the battle between the physical security and information security domains who are now converging. The ACFE, AICPA and the Institute of Internal Auditors have released their latest Practical Guide for Managing the Business Risk of Fraud. Here are the key principles:

Only through diligent and ongoing effort can an organization protect itself against significant acts of fraud. Key principles for proactively establishing an environment to effectively manage an organization’s fraud risk include:

• Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.
• Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.
• Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.
• Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
• Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.

Operational Risk Management issues still exist in Tier II organizations who have market caps below $1B. in assets and are more vulnerable. This is typically due to the lack of resources and extensive staff devoted to a an enterprise wide program that incorporates the mission from the Board of Directors and the "Tone-at-the-Top". 2009 will be busy and you can bet the General Counsel and CxO's will be burning the midnight oil.

operational risk

2009 Outlook: OPS Risk Top Priorities...

In light of the 2009 outlook and the fact that Operational Risk is now a much greater priority, here are vital areas to focus on for the New Year. As restructuring, downsizing, layoffs and overall corporate strategy and governance initiatives are kicked-off for the 2009 calendar year; here are the top priorities according to Peter L. Higgins, Managing Director of OPS Risk advisory firm 1SecureAudit.

"Operational Risk will continue to be a major focus for Boards of Directors in 2009 and for good reason. Governance Strategy Execution, Information and Records Management and Legal Risk are all in need of a critical review and a robust injection of new resources. We are at the beginning of a new "S" curve cycle on the down slope just as we saw in late 2001 post 9/11 and the "Dot Com" era, Higgins said."

"This requires a renewed and substantial commitment to keeping our code of practice guidance and implementation advice narrowly focused on several key areas of the corporate enterprise:"

• Organizational Security
• Information Security Infrastructure: Cooperation between organizations
• Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators shall be maintained.
• Asset classification and control
• Information Classification: Information labelling and handling
• A set of procedures shall be defined for information labelling and handling in accordance with the classification scheme adopted by the organization.
• Personnel Security
• Responding to security incidents and malfunctions: Reporting security weaknesses
• Users of information services shall be required to note and report any observed or suspected security weaknesses in, or threats to, systems or services.
• Communications and operations management
• Operational procedures and responsibilities: External facilities management
• Prior to using external facilities management services, the risks shall be identified and appropriate controls agreed with the contractor, and incorporated into a contract.
• Exchanges of information and software: Security of electronic mail
• A policy for the use of electronic mail shall be developed and controls put in place to reduce security risks created by electronic mail.
• Access Control
• Monitoring system access and use: Monitoring system use
• Procedures for monitoring the use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly.
• Business Continuity
• Aspects of Business Continuity Management: Testing, maintaining and re-assessing BCP
• Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that they are up to date and effective.
• Compliance
• Compliance with legal requirements: Collection of evidence
• Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.

Here are some of the top cases to review for OPS Risk lessons learned in 2008:

01/04/08 - Detroit: Eleven Indictments in International Illegal Spamming and Stock Fraud Scheme - Eleven individuals were indicted in a wide-ranging international fraud scheme which manipulated stock prices through illegal spam e-mail promotions.

02/15/08 - Washington: DOD Employee Arrested in Chinese Espionage Case - Gregg William Bergersen, a Weapons Systems Policy Analyst at the Defense Security Cooperation Agency, Department of Defense, was arrested for passing classified documents to the People’s Republic of China.

02/22/08 - Miami: Five Individuals Indicted for $200 Million Hedge Fund Fraud - Michael Lauer, founder of Lancer Group Hedge Fund, and four others were indicted on conspiracy and wire fraud charges in a $200 million hedge fund fraud.

02/29/08 - Houston: Chinese Chemist Indicted for Theft of Trade Secrets - Qinggui Zeng, aka Jensen Zeng, a legal permanent resident from China, was indicted and charged with theft of trade secrets and computer fraud.

03/14/08 - Cincinnati: Financial Enterprise Executives Found Guilty in $3 Billion Fraud Scheme - Five former executives of National Century Financial Enterprises were found guilty of conspiracy, fraud and money laundering in a $3 billion security fraud scheme.

05/16/08 - Washington: Guilty Plea in Espionage Charge Involving China - Tai Shen Kuo pled guilty to conspiracy to deliver national defense information to the People’s Republic of China.

06/20/08 - Operation Malicious Mortgage Nets 406 Individuals - Charges in Operation Malicious Mortgage, a nationwide takedown of mortgage fraud schemes which inflicted approximately $1 billion in losses, were brought in every region of the country.

10/17/08 - FBI Coordinates Global Effort to Nab “Dark Market” Cyber Criminals - A two year undercover operation, Dark Market, which joined forces with international law enforcement, resulted in 56 arrests and $70 million in economic loss prevention.

11/28/08 - Dallas: Holy Land Foundation and Leaders Convicted - The Holy Land Foundation of Relief and Development and five of its leaders were found guilty of illegally funneling at least $12 million to the Palestinian terrorist group, Hamas.

12/12/08 - Chicago: Illinois Governor Arrested - Governor Rod R. Blagojevich and his Chief of Staff John Harris were arrested on federal corruption charges including conspiring to trade or sell the Illinois’ Senate seat vacated by President-elect Barack Obama.

Beyond the Bernie Madoff fraud scheme that rocked the Hedge Fund universe the real systemic risks to deal with in 2009 will continue to be tied to the housing and mortgage sector:

• Recent statistics suggest that escalating foreclosures provide criminals with the opportunity to exploit and defraud vulnerable homeowners seeking financial guidance.
• Perpetrators are exploiting the home equity line of credit (HELOC) application process to conduct mortgage fraud, check fraud, and potentially money laundering-related activity.

The Operational Risks in corporate enterprises will be increasing as the economy adjusts and finds it's new equilibrium. Hang on for a wild ride in 2009!

operational risk

Security Governance: Siemens FCPA guilty plea...

One only has to look a few layers deep into the corporate hierarchy, to see the root cause of why Siemens AG violated the Foreign Corrupt Practices Act (FCPA).

At a hearing before U.S. District Judge Richard J. Leon in the District of Columbia, Siemens AG pleaded guilty to a two-count information charging criminal violations of the FCPA’s internal controls and books and records provisions. Siemens S.A.- Argentina (Siemens Argentina) pleaded guilty to a one-count information charging conspiracy to violate the books and records provisions of the FCPA. Siemens Bangladesh Limited (Siemens Bangladesh) and Siemens S.A. - Venezuela (Siemens Venezuela), each pleaded guilty to separate one-count informations charging conspiracy to violate the anti-bribery and books and records provisions of the FCPA. As part of the plea agreements, Siemens AG agreed to pay a $448.5 million fine; and Siemens Argentina, Bangladesh , and Venezuela each agreed to pay a $500,000 fine, for a combined total criminal fine of $450 million.

Where the compliance and ethics culture begins to break down in this example and others lies within the "Modus Operandi" of the "Deal Makers" themselves. The sales and marketing mechanisms that funded the budgets of front line managers to perpetuate the corruption are to be thoroughly examined. The competitive environment and the "wink and nod" of selling 101 at Siemens has brought them into the ranks of Enron, Worldcom, and other global transnational corporations soon to be announced for their misdeeds and corporate malfeasance. This NYT article by Siri Schubert and T. Christian Miller highlight the culture factors:

“Bribery was Siemens’s business model,” said Uwe Dolata, the spokesman for the association of federal criminal investigators in Germany. “Siemens had institutionalized corruption.”

Before 1999, bribes were deductible as business expenses under the German tax code, and paying off a foreign official was not a criminal offense. In such an environment, Siemens officials subscribed to a straightforward rule in pursuing business abroad, according to one former executive. They played by local rules.

Inside Siemens, bribes were referred to as “NA” — a German abbreviation for the phrase “nützliche Aufwendungen” which means “useful money.” Siemens bribed wherever executives felt the money was needed, paying off officials not only in countries known for government corruption, like Nigeria, but also in countries with reputations for transparency, like Norway, according to court records.

The line item utilized by business development executives at Siemens to secure business is not an exclusive there or in Germany. It is utilized by almost every major global corporation to obtain the opportunity to compete and to make the short list on major procurements. So how does the internal audit and operational risk professionals deal with the fact that money is budgeted each year for these kinds of activities?

Corporate Integrity Management and the ethics programs is a great place to start. This blog highlighted these in a previous post a few months ago:

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

• · Systems for monitoring and auditing
• · Incident response and reporting
• · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

operational risk

The "New Age" of Unreason...

In the new age of unreason, Charles Handy the author of The Age of Unreason would say that discontinuous change is upon us. He would say that we need to outsource everything that is not a core function of the enterprise. And he would say that learning is the same as change from a different worldview.

Adaptation in order to survive in the corporate world is nothing new. The risks associated with making new decisions depend on how that decision will impact the other persons, processes or systems in the enterprise. As a simple example, adapting a process for entering orders from the field sales force could have a dramatic effect on productivity and at the same time subject an enterprise to new found risks. How would your risk profile change if the following scenario took place at your business?

Sales reps are entering orders in the field via a web application that is protected by a user name and password. There is no VPN or encrypted connection. The application doesn't use SSL. The information on new customers includes name, address, phone number, credit card number, expiration date and the three or four digit security code. As the reps are entering their orders, the paper based sales forms are being put into a folder to be sent by Fedex to the home office. Each rep makes a copy for their files, to make sure that they have the right commission check at the end of the month. The VP of sales finds out that many of the orders are lacking the security code or that the consumer is giving them the wrong numbers. He asks for a change in the sales order process with the CFO in order to streamline the flow of orders and diminish the backlog. The CFO instructs the CIO to have her department change the business rules in the order entry system to eliminate the need for the security code in processing orders. Also, the lag time for the company hard copy to reach the accounting department is a problem and he asks for this step to be eliminated. Everything is completed and now the sales reps do not require this piece of information any longer to process an online sales order. Productivity increases and the backlog is eliminated.

What potential operational risks exist today with this particular business process?

1. The privacy of the customers personal identity and credit card information may be at risk if the sales rep is not securing the hard copies of the sales orders at their business office or home office.

2. The lack of the credit card security code could increase the number of fraudulent orders due to the high rate of identity theft with stolen credit card numbers with expiration dates.

3. The personal identifiable information being entered on each new customer could be compromised due the lack of controls on the network connection.

4. The privacy policy may not have been updated and amended to reflect the new business process and to document that a security code is not needed as of (date.)

The new age of unreason is certainly upon us because simple changes like this are taking place by the dozens, hundreds or thousands every day in the largest enterprises. Making changes is also about learning what those changes will mean to everything that interfaces with that change. It means that testing must take place in a lab or compartmentalized area of the business to insure that the change doesn't impact the core operations. It means observing performance and measuring the results to determine if the change is worth the new risks that the organization is about to encounter.

In the words of Charles Handy:

"Learning is not finding out what other people already know, but is solving our own problems for our own purposes, by questioning, thinking and testing until the solution is a new part of our lives."

"If changing is, as I have argued, only another word for learning, then the theories of learning will also be theories of changing. Those who are always learning are those who can ride the waves of change and who see a changing world as full of opportunities rather than damages. They are the ones most likely to be the survivors in a time of discontinuity."

operational risk

OPS Risk: Tsunami of Fraud...

Just when you think you have avoided the major risk of the credit crisis, HSBC may have been one of many banks exposed to the Bernard Madoff "tsunami of fraud".

Banks and investment funds across the world lined up on Monday to admit investing billions of dollars in the companies of Bernard Madoff, whom U.S. authorities accused of masterminding a massive fraud.

HSBC Holdings was the latest bank to join the growing list, saying it had exposure of around $1 billion (663 million pounds), making it one of the biggest victims of the alleged $50 billion fraud.

Royal Bank of Scotland and Man Group, Japan's Nomura and France's Natixis also said they were hit by the worldwide scandal.

Financial companies, reeling after a year of enormous writedowns on bad credit assets, have so far tallied up more than $10 billion in direct and indirect exposure to the possible fraud by Madoff, the 70-year old trader who was arrested on Thursday.

Last year, HSBC sold it's 42 story headquarters tower for $1.1B. to Metrovacesa in a smart strategy that has now been extinguished by the likes of a simple and yet enourmous ponzi scheme. A Ponzi is an investment fraud in which profits are promised to investors from fictitious sources. Sounds like a hedge fund. Early investors are paid off with funds raised from later ones. Is there any conservative institution that will be spared from the corporate malfeasance and corruption that has permeated our global systems of finance?

The SEC has issued the temporary restraining order for Madoff and his companies while this is drowning out the recent fraud allegations against Marc Dreier:

Dreier was arrested in Canada this month and charged with impersonating a lawyer for the Ontario Teachers Pension Plan. He was released on bail and arrested by U.S. authorities on his return to New York.

Dreier on Dec. 11 was ordered held in custody pending his trial after prosecutors told a federal magistrate that victims of a fraud that started in 2006 have lost $380 million.

If convicted of the securities fraud and wire fraud charges against him, Dreier faces as many as 20 years in prison on each count.

The U.S. Securities and Exchange Commission filed a civil suit against Dreier claiming he stole $38 million from an escrow account set up to hold money for the unsecured creditors of 360networks (USA) Inc., which the firm represented in bankruptcy court.

The movie moguls in Hollywood must be looking at these latest cases to determine if a screenplay might be a worth while endeavor. The hundreds of lawyers and other workers impacted by these two incidents alone, will no doubt bring out a few who were close enough to the two crooks to be able to provide technical consulting on the projects. The setting in the Hampton's or the Palm Beach Country club could even bring some real well known people into the movie picture itself.

Back in May 2008 this blog touched upon the legal ecosystem and the survival of the fittest. Fraud, like other crimes of opportunity, have three common attributes:

1. A growing supply of motivated offenders
2. The availability of prospective or ideal targets
3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

operational risk

Top 10 Mistakes: Board of Directors...

A few years ago, Randy Myers article in Corporate Board Member Magazine discussed a Top Ten List for the Board of Directors. In light of the current state of corporate performance, we would like to revisit the most common mistakes.

General Counsel to Directors: Your 10 Most Common Mistakes

The in-house lawyers think that you've got a lot to learn about risk, trust, and reward. And when there's trouble, you too often fail to follow the Boy Scout creed: Be Prepared. By Randy Myers

1. Not Asking Questions
2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options

And as Randy so clearly states: "Serving on a corporate board isn't easy. Avoiding these common mistakes should be."

We can't accept that No. 4 even is on this list. No. 2 and No. 3 is ever so common place. And No. 7 is not a surprise. But what continues to amaze even those professionals associated with consulting to the Board of Directors is No. 8.

The Chief Risk Officer (CRO) is the independent keeper of oversight in the corporate enterprise. Should any organization be the subject of an investigation by the SEC, FTC or any other government regulator, they need to look to the CRO. It's the job of any CRO to keep regulator awareness at a high level and to let the business be in charge of risk management. Whenever you see a CRO getting involved in managing the risks of the business, then the independence and clarity of oversight has been extinguished.

The General Counsel and the Chief Risk Officer must work hand-in-hand to follow the Boy Scout creed:

Be Prepared.

operational risk

ID Risk Management: Protective Intelligence Factors...

The root cause of the safety and security threat to corporate personnel and assets can be traced back to an identity of someone. It can be said that protective intelligence utilizing the proper Operational Risk Management framework will mitigate the impact of a successful attack. Whether the intelligence is based upon monitoring or proactive and preemptive factors to be alerted to any threat actors who wish to do us harm; you still have to have a valid identity of the "unsub."

Today as you walk into your employer, you may be happy that you are there. This is your sanctuary away from the threat at home. Your work place provides a potential "safe zone" for the next 8 to 10 hours until the work day is over and you have to return to an environment filled with physical and emotional violence. The growing workforce of women in today's corporations are faced with an increasing challenge to keep their jobs and to mask the problems on the home front.

Simultaneously, those who are the root cause of much of the domestic violence are also walking into the same corporation. Who would know that they are the same people that have never been convicted of a crime and yet are beating their wife or girl friend at home? The point is that in your corporate environment today you have a mix of both kinds of people that are the potential threats to your organizational security and safety. Workplace violence is an Operational Risk that requires a proactive protective intelligence mechanism operating on a 24/7 basis. The identities of your employees may be known upon hire, but their changing profiles over the course of their career could change dramatically. Let's illustrate the true picture with some real incidents.

The US Bureau of Labor Statistics has data on 5,488 workplace fatalities in the US in 2007. 610 were homicides, 491 of these were shootings. 22% of these homicides involved former employees yet 43% were current employees. The remaining incidents were committed by non-employees. Understanding the red flags on your current employees and those who have left the organization is the focus here. Your Operational Risk Framework should incorporate the processes, systems and tools to mitigate this relevant internal threat in the enterprise.

The implications of effective identity management go far beyond the operational risks associated with the work place. ID Management encompasses the following domains:

• Public Safety: Identity theft, cyber crime, computer crime, organized criminal groups, document fraud and sexual predator detection
• National Security: Cyber security and cyber defense, human trafficking and illegal immigration, terrorist tracking and financing
• Commerce: Mortgage fraud and other financial crimes, data breaches, e-commerce fraud, insider threats and health care fraud
• Individual Protection: Identity theft and fraud

The research and development community has been focused of late on the use of biometrics. For access controls and other ways to validate true identities; these tools and systems for authentication are vital. Yet the stolen identity to fraudulently obtain a drivers license, passport or visa comes back to our root cause issue. Dr. Gary Gordon and his team at CAIMR are on the right track:

Those challenges, aggravated by the rapid changes in our society, include identity theft and fraud, cyber crime, computer crime, travel and immigration document fraud, and data breaches. They impact individuals, public safety, commerce, government entitlement programs, and national security. As the concept of an identity (or entity) expands in the physical and digital worlds, determining if the person claiming an identity is really that person becomes critical to conducting business, providing access to services and systems, and tracking cyber criminals and terrorists. Responding to these challenges requires a collective effort by the key thought leaders from the public and private sectors, working in concert with academe.

The Center's mission is to conduct applied research in order to provide pragmatic outcomes, utilizing a multi-disciplined approach that draws on the expertise of its diverse members. The results will be specific and measurable, whether they are in the form of industry or law enforcement best practices, technologies, policy adjustments, or training and educational materials.

The Center's purpose is to convene key stakeholders and marshal their respective strengths to help solve very challenging societal problems. Our partners include organizations such as the United States Secret Service, the United States Marshals Service, LexisNexis, VISA, Cogent Systems, Indiana University, Intersections, Wells Fargo & Company, and Fair Isaac Corporation. Our government/law enforcement partners must adapt to quickly evolving identity fraud and cyber crimes. As such, they must understand current attack vectors and prepare for future ones. They need to become more proactive by improving investigations and enhancing training. Corporations are faced with many challenges, including increased fraud losses, compliance and regulatory oversight, and enhancing products and improving services to keep up with the rapidly changing environment. The academic research community is challenged with gaining access to key data sets, tight funding budgets, a limited ability to interact with corporate and government decision makers, and the need to infuse their curricula with cutting-edge research.

Establishing effective tripwires and situation awareness begins with people and may be augmented by technologies and software. CCTV, biometrics and other access controls can become the catalyst for a complacent environment and is no replacement for effective training, education and scenario exercises with personnel.

Protective Intelligence is the front line for early warning and proactive measures to interdict the loss of corporate assets. Having the correct combination of human and technology capabilities will create the most effective means for a myriad of incidents internal to the work place. Application of these these same measures of countersurveillance, monitoring of identities and the lawful use of systems will provide the red flags necessary to preempt incidents external to the institution. In the 21st century, "soft targets" in our critical infrastructure will continue to be exploited for their vulnerabilities:

India picked up intelligence in recent months that Pakistan-based terrorists were plotting attacks against Mumbai targets, an official said Tuesday, as the government demanded that Islamabad hand over suspected terrorists believed living in Pakistan.

A list of about 20 people — including India's most-wanted man — was submitted to Pakistan's high commissioner to India on Monday night, said India's foreign minister, Pranab Mukherjee.

India has already demanded Pakistan take "strong action" against those responsible for the attacks, and the U.S. has pressured Islamabad to cooperate in the investigation. America's chief diplomat, Secretary of State Condoleezza Rice, will visit India on Wednesday.

The Indian government faces widespread accusations of security and intelligence failures after suspected Muslim militants carried out a three-day attack across India's financial capital, killing 172 people and wounding 239.

operational risk

QFD: The End of Compliance...

Corporations will continue to be responsible for the criminal behavior and actions of their employees, 3rd party suppliers and other contractors for at least the near term. In a case that has the defense legal eagles and "Usual Suspects" arguing against the corporate liability issue, the intent is getting cloudy or is it crystal clear?

But in a case now pending before the 2nd U.S. Circuit Court of Appeals, United States v. Ionia Management SA, the defendant corporation, as well as a diverse group of business and legal organizations acting as amici curiae, are asking the court to re-examine what had previously been accepted as black-letter law regarding when a corporation may properly be held vicariously liable for the acts of its employees.

While the defense bar has successfully battled some of the U.S. Justice Department's specific tactics in corporate criminal investigations (such as pressuring companies to waive attorney-client privilege or deny payment of employees' legal fees), this is the first significant direct challenge in recent years to the long-standing doctrine of corporate criminal liability. Their arguments, if accepted by the court, could have far-reaching consequences for the balance of power between the government and the targets of corporate criminal investigations.

Even if the corporate compliance programs are in full force and the financial integrity unit is robust in it's efforts, the "Operational Risk" still exists for litigation. How the cases settle or end up in deferred prosecution deals is another subject. Andrew Weissmann is in the precarious position of having been on the other side of the court room during the Enron trial. Now after having moved to the defense he is feeling the size of the governments powerbase.

Mr. Weissmann, 50 years old, says he noticed the "glitch" in the law four years ago as a prosecutor when he helped put together deferred-prosecution agreements of Merrill Lynch & Co. and Canadian Imperial Bank of Commerce for their conduct in connection with the Enron collapse. It struck him that the standard for criminal liability might be too low for "companies that work hard to create compliance programs" and yet are still on the hook, he says.

Regardless of the amount of awareness building, education and corporate window dressing you can't ultimately control human behavior. More compliance enforcement and regulatory pressure may seem to be the answer. A voluntary effort to shore up security, soundness and the opportunity for malfeasance in the work place may not be working effectively. And still the liabilities exist from the plaintiffs and government adversaries to gain compensation. So what is the answer?

The answer lies in the "Enterprise Architecture" of our institutions and the failure to implement the process of "Quality Function Deployment" (QFD). This has been ignored by senior executives and US business because many judge it to be too complex. One only has to look at the state of our automobile manufacturers versus the likes of Japanese companies to get a sense of the success of incorporating QFD on a comprehensive basis. But now apply this to the culture of an organization and how each individual makes logical business decisions instead of emotion-based decisions.

What many liability issues begin with are the employee(s) who made a bad decision. QFD in its simplest form is a tool to promote communications. Among peers and connected teams within the organization it provides the methodology to catch errors, omissions and emotional bias early in the process. As an example, let's take the Request for Proposal (RFP). Many companies depend heavily on winning business by responding to RFP's. A "deal makers" perception of importance to the RFP determines the effort for the response. Many times, this is influenced by an incentive plan. The human behavior to accept or decline the effort on an RFP as well as what it takes to push it through the organization for executive sign offs, is not always compatible with the strategic and quality measures of the enterprise.

Over time this will form an unimaginable amount of moral decay within a company. This leads to bad behavior and unethical decisions that people make because the business enviroment has rewarded it for far too long. So who is to blame here? The employee or the culture and company that has condoned and encouraged the behavior that ultimately damaged someone or something.

Implementing QFD in your information-based enterprise could have a dramatic impact on achieving a defensible standard of care by reducing the likelihood of catastrophic emotional decisions. More importantly, QFD programs such as this that are directly reducing the likelihood of bad employee behavior and criminal incidents, can reduce the necessity for invasive compliance programs that most everyone wants to ignore.

operational risk

Virtual Truth: False Information Risk...

How does "False Information" impact the risk to your organization? Decisions based upon faulty or inaccurate information is the root of many of the systemic failures of catastrophic history. The Titanic, Challenger Shuttle and Three Mile Island nuclear incident can all be attributed to the integrity of vital information.

Fast forward to the financial crisis and the past decade of consumer credit expansion strategies. What data have you been collecting from US consumers or clients about their personal identifiable information attributes? The Information Age has drawn us into a more dangerous business operating environment as these digital assets have become another commodity to be sold in an international market place, to the highest bidder. Are you ready when the federal "Suits" or the local LEO's (Law Enforcement Officer) knock on your door in pursuit of the truth:

The Fair Credit Reporting Act (FCRA) spells out rights for victims of identity theft, as well as responsibilities for businesses. Identity theft victims are entitled to ask businesses for a copy of transaction records — such as applications for credit — relating to the theft of their identity. Indeed, victims can authorize law enforcement officers to get the records or ask that the business send a copy of the records directly to a law enforcement officer. The businesses covered by the law must provide copies of these records, free of charge, within 30 days of receiving the request for them in writing. This means that the law enforcement officials who ask for these records in writing may get them from your business without a subpoena, as long as they have the victim’s authorization.

The financial integrity of your future as a business and as a consumer is at stake. Christopher Burns brings this to light in a dramatic fashion in his new book; Deadly Decisions:

"First, it is often extremely difficult to validate, corroborate, or verify the information we are dealing with, except by comparing it to the other information we are dealing with. And often the whole system is contaminated by misunderstanding, bad data and false assumptions that are hard to spot. The truth test rarely works. And second, the real issue of truth is not whether you or I should believe this or that, it is what we believe together. The truth that matters is group truth, and where we get into trouble is when a whole organization--a company, a community, a nation--starts to act on information that has been gathered from many sources and processed by many people but has come to contain significant elements that are false."

Beyond "Red Flags" imposed on business, the LEO community is starting to acquire what it needs for more effective deterence and enforcement mechanisms. The ID Theft Enforcement and Restitution Act of 2008 is providing prosecuters with the tools to address cyber extortion schemes such as the Express Scripts Case:

Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.

The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

Now the clients themselves are receiving extortion demands directly from the criminal elements behind this latest critical incident. Express Scripts has hired a new Senior Compliance Counsel to start December 1 and one of the Board of Directors has tapped a unit of his former company to provide ID Theft professional services. It looks like they are heading in the right direction.

Trusted Information is at the core of current global trading, business transactions and the fabric of our own personal identities. False information and knowledge is what creates operational risk factors that can change a whole company or the integrity of a whole nation. Systems that comprise vast databases of "so called" trusted information are at our fingertips being utilized to make coherent and effective decisions. Yet what may be the more catostrophic Operational Risk beyond the simple stealing of information is the potential opportunity for the destruction of vital information.

The vulnerability of our institutions and the critical infrastructure of the United States economy is ever more at risk of a systemic loss. While our stolen data will continue to be sold to the highest bidder on a global platform for trading, the 4GW "Non-State" actors will change their modus operandi. This is a given.

Trusted Information systems that have certified integrity and the oversight controls to ensure the highest level of virtual truth is the "Holy Grail." The degree to which these same systems include false knowledge is our most complex problem for business and government in the next decade.

operational risk

General Counsel: OPS Risk Priorities...

As General Counsel are you keeping up with the latest technology being deployed in your enterprise? Do any of your employees use Twitter? What about your "Generation Y" and the use of P2P file sharing programs. Does your CxO in charge of Safety, Security, Investigations and Corporate Integrity have the latest report on employee violations of your Information Assurance and Acceptable Use policies?

Unknown to corporate America, the popular peer-to-peer file-sharing networks that allow music and movies to be shared could be sharing something else with the public: company secrets and personal data.

Management-side lawyers are sounding alarms to their corporate clients, warning that peer-to-peer networks are increasingly becoming a gateway for trade secrets, confidential financial information and personal data.

The economy is continually downsizing and employees are now being sent home to work in "Virtual Mode" and Operational Risk loss events are matastasizing. Corporate Counsel and CxO's must provide thorough due diligence, security awareness training and effective annual audits of employees who work from home or may be perpetual "Road Warriors" hopping the globe from hotel to hotel. Why?

In 2007, Citigroup Inc.'s ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when a business analyst signed up to use a P2P file-sharing service on a home computer containing the personal information.

If you are a General Counsel and your organization is authorizing the use of encryption on laptops or other personal social networking sites or systems, it's imperative to pay attention to their application. The use of encryption for data security can be utilized to keep the data secure in the event of a breach or a lost digital asset. It can also be used to cloak fraudulent or criminal activities:

In an expanding probe of investment giant UBS, the Justice Department on Wednesday announced the indictment of the Swiss bank's chairman of global wealth management, accusing him of playing a key role in a tax evasion scheme to shelter secret U.S. account holders from income tax bills and drive up bank revenue.

Raoul Weil, who oversaw the Swiss bank's cross-border private banking business serving 20,000 U.S. clients, helped conceal a combined $20 billion in assets from the Internal Revenue Service, the indictment charged.

"Prosecutors said the executives and managers used nominee entities, encrypted laptops, numbered accounts and other counter-surveillance techniques to conceal their U.S. clients and offshore assets."

"If the company policy is written correctly, employees have no privacy interest in any materials created or accessed on company computers. With such a policy in place, an employer generally can review with impunity an employee's activities on the company's computer system."

Whether information is discoverable is going to be a different matter. A careful review of most social networking sites privacy policies will most likely reveal that posted information is not private, therefore discoverable. Therefore, effective legal and IT security awareness programs and education is essential in any enterprise where employees are working remotely.

The modern day General Counsel must rely on the Chief Privacy Officer working diligently with the Chief Security officer and the Chief Compliance Officer to mitigate Legal Risk. The convergence of these responsibilities lies more on the Chief Operational Risk Officer to see that all parties are synchronous in their strategies and efforts. They may be the best person to insure the entire spectrum of operational risks are being thoroughly addressed.

operational risk

AML: Transnational eCrime Ecosystem...

The Operational Risk threat matrix from "Advance Fee Fraud", "Nigerian Letter (419) Fraud, Foreign Lottery/Sweepstakes Fraud and "Overpayment Fraud" is still growing exponentially. During our current economic crisis, the spike in these consumer Mass Marketing schemes is to be expected. Global Anti-Money Laundering (AML) operations are in high gear at home and abroad.

The "Transnational Economic Crime Ecosystem" is thriving and the major phases of the environment continue to be a major challenge for global financial institutions and law enforcement:

1. Collection
2. Monetization
3. Laundering

Let's take a closer look at "Overpayment Fraud":

Overpayment Fraud - Victims who have advertised some item for sale are contacted by buyers who remit counterfeit instruments, in excess of the purchase price, for payment. The victims are told to cash the payments, deduct any expenses, and return or forward the excess funds to an individual identified by the buyer, only to discover they must reimburse their financial institution for cashing a counterfeit instrument.

The predominantly transnational nature of the mass marketing fraud crime problem presents significant impediments to effective investigation by any single agency or national jurisdiction. Typically, victims will reside in one or more countries, perpetrators will operate from another and the financial/money services infrastructure of numerous additional countries utilized for the rapid movement and laundering of funds. For these reasons, the FBI is uniquely positioned to assist in the investigation of these frauds through its network of Legal Attache offices located in over 60 U.S. embassies around the world. By leveraging its global presence and network of liaison contacts, the FBI has successfully cooperated with other domestic and foreign law enforcement agencies to combat, disrupt, and dismantle international mass marketing fraud groups.

Despite the best inter-agency enforcement efforts to combat mass farketing fraud, the FBI remains cognizant of the fact that the only enduring remedy for this crime problem lies in consumer education and fraud prevention programs. Towards this end, the FBI has not only produced its own mass marketing fraud prevention pamphlet but coordinates on other public information efforts with the DOJ, FTC, and the USPIS. The FBI also supports a consumer fraud prevention website in conjunction with the USPIS which can be located on the web at: http://www.lookstoogoodtobetrue.gov.

While the number of Mass Marketing Fraud cases has declined over the past few years, the number of new money laundering cases has risen to over 500 in FY 2007 alone. This is to some degree as a result of the cooperation being given to law enforcement by the financial instituions themselves. And for good reason. There is a new sheriff in town.

(Reuters) - A U.S. tax investigation into UBS AG (UBSN.VX: Quote, Profile, Research, Stock Buzz) is concentrating on senior and midlevel executives and bankers, and could result in one or more indictments, the New York Times said, citing people briefed on the matter.

Investigators are sifting through more than 70 names and related account details of American clients provided by UBS over the last few months to the Justice Department, which has passed the details to the Internal Revenue Service for further scrutiny, the paper said.

The Justice Department and the IRS plan to build both civil and criminal tax-evasion cases against some of the clients, the people told the paper.

The U.S. tax investigation risks compounding damage to UBS's reputation at a time it has been forced to make bigger writedowns than any other European bank in the credit crisis.

The U.S. Department of Justice is investigating UBS over offshore services provided to U.S. clients from 2000 to 2007 to find out whether UBS helped wealthy Americans dodge taxes. The Swiss bank was singled out by U.S. President-elect Barack Obama as one of the banks who helped "tax cheats." It decided earlier this year to stop offering offshore Swiss bank accounts to U.S. citizens.

Yet the collection phase of mass marketing fraud is not about "70" or a "100" UBS clients who are trying to cheat on their taxes. It is still about the millions of phishing and spam messages that circle the digital globe in search of their targets or prey. These illusive criminal organizations behind this organized cybercrime wave are continually exploiting the vulnerabilities of our financial institutions and our own human behavior.

"Merchandise Mules" are being recruited by the hundreds if not thousands to reship goods outside North America. These criminals are utilizing stolen identities and credit cards to purchase goods on eCommerce sites and eBay and then requesting to ship the goods overseas. Unfortunately, those who are elderly or even just down on their economic luck fall victim to this tremendous economic crime tsunami:

Much of the modern organized crimes are very similar to the old. The most significant transformation from the streets to cyberspace has enlarged the territory of individuals and organized groups.

Enabled by the Internet, criminals can operate in cyberspace where less governance, a transnational stage, and a multitude of transactions to monitor complicate surveillance and enforcement. From counterfeiting drugs and software to identity theft and credit-card fraud, illegal transactions are increasingly infiltrating legitimate businesses where counterfeited goods and money laundering are buried in the billions of legitimate computer transactions made daily around the globe.

Counterfeited products are rising through global distribution via Internet sites. According to the World Health Organization, 50 percent of the medicines sold online are counterfeit.

The expanse of international criminal activity has been followed with an increase in prosecution through cooperating international law enforcement agencies willing to join the fight against globalized crime.

operational risk

Travel Risk: Adaptive Survival Instruction...

Travel risk to corporate executives is on the rise. Even if you are not an executive who can afford the services of personal body guards and armored cars, there are some prudent ways to mitigate the risk of traveling to the global hot spots.

The Mission

Travel safety is becoming more of a main stream issue with savvy operational risk managers. In fact, the likes of some new firms are emerging by former FBI or other law enforcement heavy weights. The fact is, most of these so called travel safety courses are being taught from only one side of the equation.

In a world of global commerce, CSOs are often tasked with building their company's corporate travel safety programs. The job calls for a proactive approach to educate employees about precautions they can take to stay safe, whether they're the CEOs of multibillion-dollar conglomerates who fly on company jets that land on secured tarmacs or rank-and-file staff riding in commercial airline coach.

The Take-Away

Business has to be done in some of the most dangerous places on the planet, even when it comes to being exposed to kidnapping, terrorism and corrupt governments. Our advice is to make sure your instructor transfers skills to people on "how" to detect, deter and defend against the attackers. Not just the "What to do".

The how is not easy to teach unless you have been there and experienced it. One of the reasons why most CEO's are "Age Experienced" is that it takes time to acquire enough leadership lessons. It does not happen in a week or a month or even a few years. Learning the skills to survive in strange cities, cultures and countries requires instruction by age experienced and "Quiet Professionals". Much of this instruction is about training people to be "Adaptive."

Personnel threat management is a prudent risk mitigation solution. This combination is one key strategy to reduce the operational risks associated with key personnel in your organization. Individuals whose occupations place them at risk may include people with access to valuable proprietary information or holders of high level security clearances, the wealthy and those responsible for their safety.

Comprehensive "Adaptive Survival Instruction" for international business executives is a primary mission for OPS Risk leadership because it saves lives.

operational risk

Reputation Risk: Organizational Stewardship Revisited...

Reputation risk is becoming more of a topic of discussion these days. The loss of reputation results in several outcomes both economic and personal. The fact is that most of the time organizations are "Reacting" to a crisis, news leak or some other corporate failure.

You don't have to name names of people or companies to understand the impact that reputation has on the success or demise of an organization. What has to change to lower the severity and likelihood of loss events associated with "Reputation"?

First you have to ask yourself a couple of key questions:

1. What is your reputation worth?
2. Are you being Proactive or Reactive in managing and safeguarding your reputation?

The PR and marketing communications processes in your organization may have certain facets of the solution to better reputation risk management. However, these processes are designed with out the consciousness of proactive threat anticipation, detection, prevention and remediation.

What has become more clear to executives in proactive oriented companies is the requirement for a specific and strategic approach to Reputation Risk Management. This approach encompasses an emerging theme from the early nineties pioneered by author Peter Block. We call it Organizational Stewardship.

Organizational Stewardship as a core guiding principle is the cornerstone in managing an institutional reputation risk management process. It has three components that support this rekindled idea of applying the concepts of stewardship to the organization:

• Economic Accountability
• Information Management
• Business Integrity

Reputation Risk Management is about the proactive monitoring and management of a portfolio of threats in the organization. Several categories include:

1. Intellectual Property and Information Assets
2. Demonstrations, planned boycotts and social activism
3. Physical infrastructure including employees and suppliers
4. Legal threats including class actions, insider trading or whistle-blowers

Microsoft closed its free Internet chat rooms in 28 countries several years ago because of threats from pedophiles and junk e-mailers. This is an example of proactive reputation risk management. Unfortunately, this has opened the door to another related threat of hackers hijacking Instant Messaging (IM) accounts.

Although Microsoft contends that IM is safer than the chat rooms it is already known that both AOL and MSN messenger systems are already being exploited with malicious code and worms that can potentially expose organizations to additional digital risks.

Organizational Stewardship is a guiding principle. Once it is embedded into the organization it begins to permeate the mindsets of the individuals who are responsible for the conscious reputation risk management processes. Over time, these individuals help influence the corporate mindset, philosophy and ethics to a new found level.

Someday soon the executives in the board room will realize that managing reputation is not about keeping secrets and fighting fires. They will realize that they need to find a proactive, preventive and relevant strategy for achieving Organizational Stewardship in their company.

operational risk

EESA: Oversight & Legal Filings...

What is on the mind of GCs in the United States and United Kingdom? What are they saying about the costs of litigation, labor and employment, the financial/subprime crisis, regulatory investigations and FCPA, e-discovery preparedness and patent infringement claims. A Fulbright & Jaworski 5th year survey, gets the answers from 350 senior-level executives.

Lawsuit fears also vary across the United States: California companies have qualms about employment cases; Northeastern companies worry about environmental cases; and Southern companies expressed concerned about class actions and products liability lawsuits.

The survey responses indicate that lawsuits filings ultimately vary by industry.

During the past year, two-thirds of insurance companies reported at least six new lawsuits, followed by 55 percent of retail companies.

Manufacturing companies were the third most sued industry, with 54 percent facing six new claims. Health care providers followed closely behind with 52 percent reporting a half dozen new cases.

Two industries were far less likely to face multiple lawsuits in one year.

Thirty-seven percent of financial services companies reported six new lawsuits compared with 30 percent of technology firms.

Somehow we think the financial services companies are going to see a large spike in the next nine months. The SOX cases will be tested and there will be a few that won't get settled. The outcomes will set the precedence for Corporate Governance related suits for years to come.

Keep on "eye" on this one. Part of the new EESA legislation will have some kind of IG and oversight. This will be keeping the legal teams busy:

7) Compliance: The law establishes important oversight and compliance structures, including establishing an Oversight Board, on-site participation of the General Accounting Office and the creation of a Special Inspector General, with thorough reporting requirements. We welcome this oversight and have a team focused on making sure we get it right.

The Special Inspector General's purpose is to monitor, audit and investigate the activities of the Treasury in the administration of the program, and report findings to Congress every quarter.

The "TARP" Inspector will have their hands full and since they are appointed by the President, you can be sure that they will not be too partisan.

operational risk