18 September 2010

China Syndrome: FCPA & Rating Agencies...

A modern day "Operational Risk China Syndrome" is making the Board of Directors nervous these days. The new syndrome otherwise called the Foreign Corrupt Practices Act (FCPA) has been the buzz at rating agencies for months. Are you sure about your ability to withstand the scrutiny of a FCPA litmus test? Board Member Magazine explains:

On June 2nd, Fitch Ratings agency announced that Foreign Corrupt Practices Act violations could result in ratings downgrades. That’s one more reason boards should educate themselves on FCPA and how their companies are monitoring FCPA-related risks. It appears, though, that many boards do not feel comfortable with their companies’ compliance programs. In a soon-to-be released survey from KPMG’s Audit Committee Institute, only 27 percent of U.S. audit committee members said they were satisfied that their company had an effective process to manage Foreign Corrupt Practices Act risks, and other risks associated with doing business in Brazil, Russia, India, China and other emerging markets. 35 percent of respondents were only somewhat satisfied, and 9 percent said process improvements were needed in conducting such business, which may include sourcing, outsourcing, manufacturing, or sales and distribution channels.

As your Business Development teams fan out across the globe to satisfy the appetite of the Chinese economy for critical infrastructure, establish a sound and effective awareness, training and audit program. What are the ramifications of putting unprepared personnel on the ground to do business in the Chinese Markets?

American companies or individuals who enter joint ventures with foreign partners, as well as those who hire foreign agents or distributors in China, must be extremely cautious of the vicarious liability that they may face as a result of a third party's violation of the principles set forth in the FCPA. According to the Justice Department, an American company will be subject to liability under the FCPA if it makes payments to an intermediary third party with the knowledge that such payments will go to a foreign official for corrupt purposes. Conscious disregard is enough to satisfy the requirement; if the American company is aware of a "high probability" that such payments will occur, the knowledge requirement will be satisfied. More importantly, a joint venture partner, agent, or distributor will be considered an intermediary third party for purposes of the FCPA. Therefore, any violation of FCPA standards by one of those parties could result in the American company being vicariously liable under the FCPA.

In order for the Board of Directors to have peace of mind on the emerging markets business opportunities first a substantial compliance framework needs to be established. Next, the implementation of predictive analytics software to manage the complexity of companies, people and relationships as you do business in any of these countries. This includes the subscription to several databases that include the constantly changing landscape of specially designated nationals (SDN) and politically exposed persons (PEP). World check explains:

During the period 2005 to 2007 alone, more than 310 elections and by-elections took place around the world – that’s an average of nearly 10 elections per month. (Source: ElectionGuide.org). This means that your existing clients may be elected to public office, and hence become PEPs, without your business knowing it. It may be that you only apply your due diligence processes to new customers and so miss a whole category of individuals that do not meet your corporate risk appetite. As such, routine and ongoing PEP risk screening is not only considered best practice, but is also a legal requirement.
In practice, full compliance with PEP legislation has not come without major operational challenges. In the post-9/11 era, the proliferation of regulatory compliance laws, combined with the need to screen hundreds of thousands of users and accounts on a routine basis, has created a substantial administrative burden for businesses subject to PEP legislation.

The sheer magnitude of the due diligence challenge has subsequently led to the adoption of a risk-based approach to regulatory compliance, but nevertheless Enhanced Due Diligence and ongoing risk management is still required for PEPs. Broadly speaking, the risk-based approach entails the identification of risks that exceed your business’ stated risk appetite (including the need for regulatory compliance), and then matching individuals and entities against these heightened risks during the preliminary stages of due diligence. Should a person fall into one or more of the specified heightened risk categories, additional due diligence is then required.

As your company establishes it new China-based strategy for partnerships, joint ventures or actually putting employees in country the operational risks become exponential. Remember, a sound and prudent risk framework includes a 4D approach:

  • Deter
  • Detect
  • Defend
  • Document

With these established and operating on a global basis the Board of Directors will be sleeping more soundly. Or perhaps not...learn more.

11 September 2010

Remembering 9/11: Teaching the Children...

Where were you on September 11th, 2001? Everyone seems to remember...

On a cool sky blue morning, 9 years ago in Northern Virginia, sitting in a hotel restaurant having breakfast around 8:00AM with a business colleague. A little over 40 minutes into our discussion, we heard some people talking quite loud in the bar next to us as they tuned into CNN. As cell phones rang around us, they were all loved ones checking in and urging us to hurry home.


8:46:40: Flight 11 crashes at roughly 490 mph (790km/h or 219m/s or 425 knots) into the north face of the North Tower (1 WTC) of the World Trade Center, between floors 93 and 99. (Many early accounts gave times between 8:45 and 8:50). The aircraft enters the tower mostly intact. It plows to the building core, severing all three gypsum-encased stairwells, dragging combustibles with it. A massive shock wave travels down to the ground and up again. The combustibles and the remnants of the aircraft are ignited by the burning fuel. As the building lacks a traditional full cage frame and depends almost entirely on the strength of a narrow structural core running up the center, fire at the center of the impact zone is in a position to compromise the integrity of all internal columns. People below the severed stairwells start to evacuate—no one above the impact zone is able to do so.

8:49:34: The first network television and radio reports of an explosion or incident at the World Trade Center. CNN breaks into a Ditech commercial at 8:49. The CNN screen subtitle first reads "World Trade Center disaster." Carol Lin, the first TV network anchor to break the news of the attacks, says:

"This just in. You are looking at obviously a very disturbing live shot there. That is the World Trade Center, and we have unconfirmed reports this morning that a plane has crashed into one of the towers of the World Trade Center. CNN Center right now is just beginning to work on this story, obviously calling our sources and trying to figure out exactly what happened, but clearly something relatively devastating happening this morning there on the south end of the island of Manhattan. That is once again, a picture of one of the towers of the World Trade Center."


Walking to the parking lot, the proximity of the kids high school and middle school to the CIA created a feeling of great internal anxiety and it soon turned to fear.

9:37:46: Flight 77 crashes into the western side of the Pentagon and starts a violent fire. The section of the Pentagon hit consists mainly of newly renovated, unoccupied offices. All 64 people on board are killed, as are 125 Pentagon personnel.

Looking around the crowd this evening at our 9/11 Memorial Ceremony in our little village, some of the kids were not old enough to remember that day. We said prayers and recited the names of the six men and women who were from our little town. "Friends of the Freedom Memorial" formed in 2002 to build the site and dedicated to the residents who have given their lives for our freedom.

The Boy Scouts handed out programs and lead us in the Pledge of Allegiance. We sang the National Anthem. "America the Beautiful". We starred at the six candles lit in their honor.

What this day is about every year beyond these memories, is the renewed vow of vigilance. A time to revisit all the reasons why you have made the decisions you have since that Tuesday morning nine years ago. Never forget that day. Never forget why you wake each morning.

9/11 vigilance is about being adaptive. It is about resilience. For those of us who have never paid the same price as those who have served, supported and are the mothers, fathers, brothers, sisters or relatives of those who have, we can never know or really feel what they have. We can only pledge our vigilance in continuing our respective missions.

Most of all. The mission is not America's alone and the entire planet understands this. As they teach the history of 9/11 in the schools of New York City, Haiti, Chile, Pakistan, India and even Saudi Arabia, what do you think the lesson is about? If it is not about vigilance and resilience, then we are doing our children a disservice. We must be preparing them for the future threats that this globe will be facing in the years and decades before us.

Whether it is the wrath of "Mother Nature" or the evil planning of ordinary people does not matter. We can never predict exactly the day the hour or when and where the next attack will occur. Whether it will impact our buildings, bridges, rivers, schools or the Internet is unknown. If all of us on this 3rd rock from the sun, have done our job teaching our kids about vigilance and resilience, then we should all be able to have a peaceful nights sleep. Devoid of nightmares.

Remember that Tuesday in September across the globe for the lessons we have all learned since that infamous day in New York City, Washington, DC and Shanksville, Pennsylvania. For the children, teach them the truth.

06 September 2010

Protective Security: Discovery Lessons Learned...

Operational Risks at Discovery Communications are on the agenda for the next Board of Directors Meeting. The lessons learned are being discussed and there are many legal considerations after a gun man strapped with explosive devices held hostages in the lobby of the Silver Spring, Maryland company on September 1, 2010.

A security guard who called 911 after a gunman entered Discovery Channel's headquarters calmly told the operator: "You're probably going to need a sniper."

The call, released Friday, was one of several placed minutes after a gunman entered the lobby and took three hostages. Other callers described the propane tanks strapped to the gunman's body, and a blinking device in his left hand.

After hours of negotiating with James Lee, 43, police shot him to death as the hostages were preparing to make a break for it, police said.

Even in the first minutes after the siege began, Discovery security had an idea of who they were dealing with. A security employee told a 911 operator that they believed the man was in the lobby was Lee. He told the operator Lee appeared disoriented, had propane tanks strapped to his chest and at least one person on the ground.

"It looks like he's got an IED. He looks like he's setting up an explosive device in the lobby, you're probably going to need a sniper," he tells the operator. "You gotta move fast."

In police radio transmissions, an officer described the suspect as an "Asian male following the do-not-admit sign Discovery has."

Since the attack on the Holocaust Museum in Washington, DC where another lone gun man walked into the lobby with a rifle there has been hours and hours of debriefing. There has been presentations on the protective security measures that worked. There are lessons learned on those measures and policies that failed. Yet one thing is certain in both of these incidents. The protective security strategy for an active shooter scenario is still up for debate.

The Holocaust Museum and Discovery Communications have differing philosophies about the design of a layered defense as it pertains to this type of threat. Discovery did not have protective security that was able to disarm and prevent Mr. Lee from entering their facility and taking hostages.

This blog has discussed the vulnerability that exists in every facility or digital network in terms of how attackers will exploit the vulnerability of Design, Implementation or Configuration. It is obvious in the case of Discovery that the attacker had done his homework and knew in advance that they do not have "Armed Guards" in the lobby. The larger lesson to both Discovery and to others is not so much about the decision of "Armed" vs. "Unarmed", as much as it might be on how and where visitors are allowed to access the building itself. The design of the Discovery Protective Security Process and design of the facility is a major Operational Risk.

Perhaps this message also needs to be sent to the commercial architects and the developers of buildings about why it is important to design protective security measures into the physical engineering of the facility to begin with. Making decisions about whether to arm your guard force with weapons however may not even need to be discussed, if the process and design of your building security is done correctly.

  • First, the visitors entrance and lobby area shall not be the same for employees. Ideally, the employees enter the building from the parking garage directly, that is also secured. Or even a secure side entrance if they commute to work. It is never good design to have employees entering in the same space with visitors.
  • Second, design the building so that the visitors entrance is set back a minimum of 75 yards from the main facility, detached or connected only through a covered walkway or enclosed hallway. Ideally, the visitor screening and registration all occurs in this detached building with the first layer of the protective security team.
  • Third, once visitors are screened and given the green light, they may proceed to the secondary waiting lobby in the main facility. This again, is a holding area until the visitor is greeted and escorted into the building with the company employee.

As good as the Discovery guards were at describing the situation unfolding before them, the fact remains that the attacker should never had the opportunity to take any hostages. The Board of Directors may be taking into consideration many new ideas and digesting the lessons learned from Corporate Security. One can only wonder if they will increase the budget to be commensurate with the threat before them. The legal teams will be gearing up for a number of attempts to use this event as a platform for adversarial plaintiff suits.

Domestic Extremism is not just about a lone wolf who has a history of psychological issues. Violent activist groups who are active in the international movement to use animals, "The Earth" or other religious causes to fuel their justification are a growing threat, here and abroad.

Until last month, the small market town of Langnau in the rolling Swiss hills had two claims to fame: it was a centre for the production of Emmental cheese and one of the sunniest places in Switzerland.

Now, thanks to a routine police traffic inquiry, it has the dubious honour of being the location where one of Europe's biggest alleged acts of eco-terrorism was foiled.

On the night of April 15, 2010, local officers pulled over a car on one of the town's quiet streets.

Inside the vehicle they found a large cache of explosives, primed and ready to detonate.

The three people in the car are alleged to have been members of the murky Italian anarchist group Il Silvestre, who were reportedly on a mission to blow up the unfinished £55 million ($118 million) IBM nanotechnology facility.

The apparent attack is believed to be part of a new co-ordinated wave of eco-terror on the continent.

The IBM site is due to be opened next year and will be the most advanced centre for nanotech and biological scientific research in Europe. The group, formed in Tuscany, is considered by some to be one of the rising "eco-terror" groups in Europe, with a rigid cell structure, access to explosives, and a membership that supposedly has no qualms about killing to achieve its goals.


Protective Security measures to mitigate Operational Risks such as these require a comprehensive yet adaptive strategy. What may be most disturbing on the Discovery Channel incident is that the attacker all but announced his attentions on his website in advance. If you don't currently monitor the digital domains for your organizations benefit, then start this soon. You may be amazed at the "Open Source Intelligence" (OSINT) that exists on what Domestic Extremists are saying and planning for your company.

Even after the Twin Towers fell, environmental extremism was seen as a severe threat and, in 2006, Congress passed legislation - the Animal Enterprise Terrorism Act - which classified certain acts of civil disobedience, such as blockades, trespassing, property damage and the freeing of animals, as acts of terrorism.

An FBI assessment continued to reinforce fear of environmental radicals when it stated "together eco-terrorists and animal rights extremists are one of the most serious domestic terrorist threats in the US".

It warned that tactics were "becoming increasingly violent, with threats to life, not just to property".